Something on my system is trying to connect to outside. But what???

[Guest Frank Dreyfus]

Hi,

 

Some process is making repeated attempts (every 5 seconds or so) to

connect to ip: 216.168.41.231 TCP ports 135 and 524.

 

That ip appears to belong to Digital Forest in Seattle, WA. Digital

Forest appears to be a web hosting company.

 

My firewall is blocking these attempts. It's the firewall log that

alerted me to this situation.

 

I'd like to kill the process that's doing this, but have no idea how to

find the process. Netstat is no help b/c there is no open connection;

just an attempt.

 

Any ideas how to track this down?

 

Thanks,

 

 

Frank

[Guest David H. Lipman]

Re: Something on my system is trying to connect to outside. But what???

 

From: "Frank Dreyfus" <fdreyfus@nyw.com>

 

| Hi,

|

| Some process is making repeated attempts (every 5 seconds or so) to

| connect to ip: 216.168.41.231 TCP ports 135 and 524.

|

| That ip appears to belong to Digital Forest in Seattle, WA. Digital

| Forest appears to be a web hosting company.

|

| My firewall is blocking these attempts. It's the firewall log that

| alerted me to this situation.

|

| I'd like to kill the process that's doing this, but have no idea how to

| find the process. Netstat is no help b/c there is no open connection;

| just an attempt.

|

| Any ideas how to track this down?

|

| Thanks,

|

| Frank

|

 

Start by downloading the Sysinternals TCPView GUI utility. This utility will show what

process is trying to connect to the Internet.

 

http://download.sysinternals.com/Files/TcpView.zip

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Frank Dreyfus]

Re: Something on my system is trying to connect to outside. But what???

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in

news:On0aowuuIHA.576@TK2MSFTNGP05.phx.gbl:

> Start by downloading the Sysinternals TCPView GUI utility.

 

Thanks!

 

A very handy utility indeed.

 

For future users with this issue...

 

It turned out to be HPBPRO.exe. An HP utility installed along with the

printer driver. It doesn't appear to be needed at all and some users

have found that it consumes 100% CPU time when it runs (that's every 5

seconds!).

 

See here: http://forums12.itrc.hp.com/service/forums/questionanswer.do?

admit=109447627+1211341805724+28353475&threadId=370850

 

for a discussion and methods for disabling it. I used John Fleming's

method and it seems to work perfectly.

 

Don't know why they install this stuff in the first place.

 

Thanks for your help,

 

 

Frank

[Guest jameshanley39@yahoo.co.uk]

Re: Something on my system is trying to connect to outside. Butwhat???

 

Re: Something on my system is trying to connect to outside. Butwhat???

 

On 21 May, 03:41, "David H. Lipman" <DLipman~nosp...@Verizon.Net>

wrote:

> From: "Frank Dreyfus" <fdrey...@nyw.com>

>

> | Hi,

> |

> | Some process is making repeated attempts (every 5 seconds or so) to

> | connect to ip: 216.168.41.231 TCP ports 135 and 524.

> |

> | That ip appears to belong to Digital Forest in Seattle, WA.  Digital

> | Forest appears to be a web hosting company.

> |

> | My firewall is blocking these attempts.  It's the firewall log that

> | alerted me to this situation.

> |

> | I'd like to kill the process that's doing this, but have no idea how to

> | find the process.  Netstat is no help b/c there is no open connection;

> | just an attempt.

> |

> | Any ideas how to track this down?

> |

> | Thanks,

> |

> | Frank

> |

>

> Start by downloading the Sysinternals TCPView GUI utility.  This utility will show what

> process is trying to connect to the Internet.

>

> http://download.sysinternals.com/Files/TcpView.zip

>

> --

> Davehttp://www.claymania.com/removal-trojan-adware.html

> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

 

I used to use Active Ports.. and netstat for a snapshot..

But even then.

Suppose it says svchost.exe

 

Then what would -you-/readers do?

[Guest David H. Lipman]

Re: Something on my system is trying to connect to outside. But what???

 

Re: Something on my system is trying to connect to outside. But what???

 

From: <jameshanley39@yahoo.co.uk>

 

 

|

| I used to use Active Ports.. and netstat for a snapshot..

| But even then.

| Suppose it says svchost.exe

|

| Then what would -you-/readers do?

 

If the communication is not from a separete EXE file then you have to determine what is

loaded into the OS through a utility such as Process Explorer. You would suspend processes

until the communication stops and then isolate the process. Then you have a clue to what

the actual process is and you can then delve into what modules are loaded by that process.

Not easy for a beginner.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest jameshanley39@yahoo.co.uk]

Re: Something on my system is trying to connect to outside. Butwhat???

 

Re: Something on my system is trying to connect to outside. Butwhat???

 

On 21 May, 21:35, "David H. Lipman" <DLipman~nosp...@Verizon.Net>

wrote:

> From: <jameshanle...@yahoo.co.uk>

>

> |

> | I used to use Active Ports..  and netstat for a snapshot..

> | But even then.

> | Suppose it says svchost.exe

> |

> | Then what would -you-/readers do?

>

> If the communication is not from a separete EXE file then you have to determine what is

> loaded into the OS through a utility such as Process Explorer.  You would suspend processes

> until the communication stops and then isolate the process.  Then you have a clue to what

> the actual process is and you can then delve into what modules are loaded by that process.

> Not easy for a beginner.

>

> --

 

ok... I see the process is for techies.. no problem, most here are

techies.. Just warn the non-techies!

 

 

your method sounds a bit better than the one I have seen. The method I

saw was using "sysinternals" process explorer, see what DLLs are using

the process. If one looked suspicious e.g. it was called

skjfdfd.dll !!!! Then rename the dll. And looking at the company

listed as publisher - though that can be spoofed.

 

(of course, renaming a dll in use, is like the methods of deleting an

"undeletable" file. unlocker, safe mode. If all else fails - bart pe

will do it without any difficulty. )

 

I guess when you say isolate and suspend processes (to find the

cultprit process), you mean suspend the dll. Since really it is only

one EXE/process that is being used/abused/hijacled.

 

How would you "suspend the process" ?

[Guest David H. Lipman]

Re: Something on my system is trying to connect to outside. But what???

 

Re: Something on my system is trying to connect to outside. But what???

 

From: <jameshanley39@yahoo.co.uk>

 

 

|

| ok... I see the process is for techies.. no problem, most here are

| techies.. Just warn the non-techies!

|

| your method sounds a bit better than the one I have seen. The method I

| saw was using "sysinternals" process explorer, see what DLLs are using

| the process. If one looked suspicious e.g. it was called

| skjfdfd.dll !!!! Then rename the dll. And looking at the company

| listed as publisher - though that can be spoofed.

|

| (of course, renaming a dll in use, is like the methods of deleting an

| "undeletable" file. unlocker, safe mode. If all else fails - bart pe

| will do it without any difficulty. )

|

| I guess when you say isolate and suspend processes (to find the

| cultprit process), you mean suspend the dll. Since really it is only

| one EXE/process that is being used/abused/hijacled.

|

| How would you "suspend the process" ?

 

Using Process Explorer, Right-Click on the process and choose Suspend.

 

Now in a case of a DLL such as; skjfdfd.dll

You would want to determine the loading vector and fully qualified name and path.

 

Example FQN: %windir%\system32\skjfdfd.dll

 

You can search the Registry for; skjfdfd.dll and thus find the loading vector.

 

The Systinternal utility AutoRuns can also be used.

http://download.sysinternals.com/Files/Autoruns.zip

 

Lets sys it uses Winlogin/Notify to load.

 

Example:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\skjfdfd

 

You can try to delete the key. Chances are it is protecting itself and you can't delete

that key but you can try. If you are successful, you can then reboot the PC and delete the

DLL. If the key (in the example) Winlogon\Notify\skjfdfd could NOT be deleted then you can

boot into the Recovery Console and logon as Administrator.

 

In the Recovery Console you can the rename/delete the file %windir%\system32\skjfdfd.dll

and then reboot.

 

NOTE: The above is NOT all inclusive. They are variations to the above approach and

possible additional steps.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest jameshanley39@yahoo.co.uk]

Re: Something on my system is trying to connect to outside. Butwhat???

 

Re: Something on my system is trying to connect to outside. Butwhat???

 

On 21 May, 22:32, "David H. Lipman" <DLipman~nosp...@Verizon.Net>

wrote:

> From: <jameshanle...@yahoo.co.uk>

>

> |

> | ok... I see the process is for techies.. no problem,  most here are

> | techies.. Just warn the non-techies!

> |

> | your method sounds a bit better than the one I have seen. The method I

> | saw was using "sysinternals" process explorer, see what DLLs are using

> | the process.  If one looked suspicious e.g. it was called

> | skjfdfd.dll !!!! Then rename the dll. And looking at the company

> | listed as publisher - though that can be spoofed.

> |

> | (of course, renaming a dll in use, is like the methods of deleting an

> | "undeletable" file. unlocker, safe mode. If all else fails - bart pe

> | will do it without any difficulty. )

> |

> | I guess when you say isolate and suspend processes (to find the

> | cultprit process), you mean suspend the dll.  Since really it is only

> | one EXE/process that is being used/abused/hijacled.

> |

> | How would you "suspend the process" ?

>

> Using Process Explorer, Right-Click on the process and choose Suspend.

>

> Now in a case of a DLL such as;  skjfdfd.dll

> You would want to determine the loading vector and fully qualified name and path.

>

> Example FQN:  %windir%\system32\skjfdfd.dll

>

> You can search the Registry for;  skjfdfd.dll and thus find the loading vector.

>

> The Systinternal utility AutoRuns can also be used.http://download.sysinternals.com/Files/Autoruns.zip

>

> Lets sys it uses Winlogin/Notify to load.

>

> Example:

> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\skjfdfd

>

> You can try to delete the key.  Chances are it is protecting itself and you can't delete

> that key but you can try.  If you are successful, you can then reboot the PC and delete the

> DLL.  If the key (in the example) Winlogon\Notify\skjfdfd could NOT be deleted then you can

> boot into the Recovery Console and logon as Administrator.

>

> In the Recovery Console you can the rename/delete the file  %windir%\system32\skjfdfd.dll

> and then reboot.

>

> NOTE:  The above is NOT all inclusive.  They are variations to the above approach and

> possible additional steps.

>

> --

> Davehttp://www.claymania.com/removal-trojan-adware.html

> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

 

that's a great post..

 

Are there any forums that have descriptions like this, which

collectively, are fairly all-inclusive ?

[Guest David H. Lipman]

Re: Something on my system is trying to connect to outside. But what???

 

Re: Something on my system is trying to connect to outside. But what???

 

From: <jameshanley39@yahoo.co.uk>

 

 

|

| that's a great post..

|

| Are there any forums that have descriptions like this, which

| collectively, are fairly all-inclusive ?

 

Such discussions go on in various spyware and virus related news groups.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp