• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

virus, trojan? netstat shows a bunch of ips that I don't recognize

L

LordSnailz

Diamond Member
I don't have any running and it shows IPs that I don't recognize, the ones that I worry the most is the res.edu ones.

I've installed spybot, kasperksy antivirus, antivir and adware and everything is coming out clean.

Any suggestions that would check to see if there's any viruses that's using my connectin for something? TIA!
 
you could do a whois arin search on res.edu IP and see what country its coming from
http://www.dnsstuff.com/
You didnt mention firewall.
AV software like kaspersky is always connected to their server upon bootup. There is also XP SP2 firewall.

first thing I would do is use process explorer to see whats going on, if your PC is being used as a bot, they would have to use some kind of process/dll, so start disabling suspicious items
http://www.sysinternals.com/Utilities/ProcessExplorer.html

See if CPU usage spikes for no reason

(XP processes is not that deep - misses stuff)
you could also disable anything remote in local services like telnetting remote desktop etc. one by one and see if IP's go away
http://www.theeldergeek.com/services_guide.htm
http://www.techtree.com/techtree/jsp/article.jsp?article_id=70112&cat_id=584

Adaware 106RC1 SE also has a quite good process finder
you could also see if installed free Zone Alarm blocks these IP's
or run HiJackThis
 
Originally posted by: Bozo Galora
...
first thing I would do is use process explorer to see whats going on, if your PC is being used as a bot, they would have to use some kind of process/dll, so start disabling suspicious items
http://www.sysinternals.com/Utilities/ProcessExplorer.html
...
Click to expand...

Try TCPView from Sysinternals in addition to Process Explorer. It is similar to netstat, but also shows the processes that are "responsible" for the connections.
 
Originally posted by: LordSnailz
I don't have any running and it shows IPs that I don't recognize, the ones that I worry the most is the res.edu ones.

I've installed spybot, kasperksy antivirus, antivir and adware and everything is coming out clean.

Any suggestions that would check to see if there's any viruses that's using my connectin for something? TIA!
Click to expand...

Are you on a campus??
 
Thanks guys, I'll give sysinternals a try and nope, not on campus, using comcast.

This is what I'm seeing through netstat --


Active Connections

Proto Local Address Foreign Address State
TCP mycomputer:1062 localhost:18350 ESTABLISHED
TCP mycomputer:1069 localhost:1070 ESTABLISHED
TCP mycomputer:1070 localhost:1069 ESTABLISHED
TCP mycomputer:1155 localhost:1156 ESTABLISHED
TCP mycomputer:1156 localhost:1155 ESTABLISHED
TCP mycomputer:1393 localhost:8100 TIME_WAIT
TCP mycomputer:1394 localhost:8100 TIME_WAIT
TCP mycomputer:1398 localhost:8100 TIME_WAIT
TCP mycomputer:1399 localhost:8100 TIME_WAIT
TCP mycomputer:1400 localhost:8100 TIME_WAIT
TCP mycomputer:1401 localhost:8100 TIME_WAIT
TCP mycomputer:1404 localhost:8100 TIME_WAIT
TCP mycomputer:1405 localhost:8100 TIME_WAIT
TCP mycomputer:8200 localhost:1390 TIME_WAIT
TCP mycomputer:8200 localhost:1395 TIME_WAIT
TCP mycomputer:8200 localhost:1397 TIME_WAIT
TCP mycomputer:8200 localhost:1402 TIME_WAIT
TCP mycomputer:8200 localhost:1403 TIME_WAIT
TCP mycomputer:8200 localhost:1406 TIME_WAIT
TCP mycomputer:18350 localhost:1062 ESTABLISHED
TCP mycomputer:1084 72.14.253.125:5222 ESTABLISHED
TCP mycomputer:1089 153geomech-7.civil.mcgill.ca:6055 ESTABLISHED
TCP mycomputer:1162 static-fxfeeds.nslb.sj.mozilla.com:http ESTABLI
SHED
TCP mycomputer:1163 66.249.81.102:http ESTABLISHED
TCP mycomputer:1320 64.12.26.54:5190 ESTABLISHED
TCP mycomputer:1326 oam-m09a.blue.aol.com:5190 ESTABLISHED
TCP mycomputer:1331 caim-d05b.blue.aol.com:5190 ESTABLISHED
TCP mycomputer:1336 205.188.1.128:5190 ESTABLISHED
TCP mycomputer:1353 208.65.201.106:http ESTABLISHED
TCP mycomputer:1354 208.65.201.106:http ESTABLISHED
TCP mycomputer:1363 69-44-123-103.wcg.net:http ESTABLISHED
TCP mycomputer:1367 208.65.201.100:http ESTABLISHED
TCP mycomputer:1391 66-193-254-46.static.twtelecom.net:http ESTABLI
SHED
TCP mycomputer:1392 66-193-254-46.static.twtelecom.net:http ESTABLI
SHED


Anything weird? What worries me is "153geomech-7.civil.mcgill.ca", usually there's where I would see the .edu address. The aol is cause I have aim on, the other stuff, I dont' really recognize.
 
It would be nice if you closed IM clients, web browsers, e-mail clients then ran the TCP view program again.

Helps narrow out the false positives 🙂

- JaAG
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top