W32MytobED@mm

[chartman]

I got hit by this and I now realise why, having searched this forum , so
thanks. I'm using NAV 2003 and it didn't stop it. Well, I've sorted most
of the problems, including its removal and using "cached" pages via
google to access various web sites for help.
My remaining problem is this. The trojan did something to all the AV
web sites+ Microsoft.com . ( I fixed symantec.com) What happens is when
I goto ,say, microsoft.com, I get a popup asking for a username and
logon ( as if it were an ftp site).
Can anyone tell me how to get rid of this popup?
I've now upgraded to nav2005.
System is XP pro.
TIA.

 

[Kelvin Lin]

Hi,
One thing you can check is, run netstat -b in your command prompt.
It will prompt you with all the process that are connected to internet.

Kill all the process that you are not sure of. Please also check your
windows registry especially for the IE.
Did you use MSFT Anti-spyware?
Try to scan in safemode again.


Hope it will work

Kelvin Lin

 

[George Hester]

Is netstat -b specific to Windows XP? I checked in both Windows 2000 and XP
netstat /? and do not see that as a parameter.

 

[Kelly]

Yes and works fine here.

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[George Hester]

Well that is interesting for it doesn't appear in either op sys when netstat
/? is typed in. There is nothing on it. Do you know where that parameter
is described?

--
George Hester
_______________________________

Yes and works fine here.

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[Kelvin Lin]

Hi,

Netstat -b is only available to Windows XP Home or Professional with SP2
installed.

 

[Nightowl]

Kelvin Lin wrote on Sun, 19 Jun 2005:

One thing you can check is, run netstat -b in your command prompt.
It will prompt you with all the process that are connected to internet.

Kill all the process that you are not sure of.

Hi Kelvin

I was curious and tried this, but all I see is:

Active Connections
Proto Local Address Foreign Address State PID

I get the same ouput if I type netstat -o too.

I noticed the help said this -b command can fail if you don't have the
full permissions, but I am the only user and administrator. Any ideas?
It does sound a useful trick.

 

[Kelvin Lin]

Hi Nightowl,

-b displays the executable involved in creating each connection or listening
port while -o
displays the owning process ID associated with each connection..

With -b, though it's time consuming to load and require users to have
sufficient permissions, it sometimes allows
us to see trojans and malwares.

But it's a useful command added by MSFT with XP SP2.

 

[George Hester]

Oh sp2. Well that explains it. Thanks.

 

[Nightowl]

Kelvin Lin wrote on Sun, 19 Jun 2005:

Hi Nightowl,

-b displays the executable involved in creating each connection or listening
port while -o
displays the owning process ID associated with each connection..

Hi Kelvin, thanks for your reply. What I was saying, though, is that
when I type netstat -b all I see is this:

Active Connections
Proto Local Address Foreign Address State PID

Just those two lines. I also get the same with netstat -o.

With -b, though it's time consuming to load and require users to have
sufficient permissions, it sometimes allows
us to see trojans and malwares.

But it's a useful command added by MSFT with XP SP2.

Yes, that's why I'd like to be able to run it As I said I am the
admin and only user, and I do have SP2. Any ideas why it's not working
for me?

 

[Guest]

I've tried running netstat -b (WinXP Pro w/SP2 + Admin priv). The program
runs.

Problem: The window disappears in aprox. 1 second.

 

[Wesley Vogel]

netstat -b is not a proper command.

Open a command prompt first.

Start | Run | Type: cmd | Click OK
In the command prompt window type:

netstat -ano

Hit your enter key.

To see netstat HELP, type:

netstat /?

Hit your enter key.


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Thanks! That worked great!

 

[Wesley Vogel]

I love it when a plan comes together. Keep having fun.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Torgeir Bakken \(MVP\)]

netstat -b is not a proper command.
(snip)

Hi,

Actually, the -b switch was introduced with SP2 for WinXP.

Help output for netstat.exe on a WinXP SP2 computer:

C:\>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.

(snip rest of help listing)

 

[Wesley Vogel]

That explains it then. I do not have XP SP2. I have XP SP1.

This is the *first* thing in XP SP2 that I have seen that even interests
me. ;-)

Thanks, Torgeir.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

netstat -b is not a proper command.
(snip)

Hi,

Actually, the -b switch was introduced with SP2 for WinXP.

Help output for netstat.exe on a WinXP SP2 computer:

C:\>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.

(snip rest of help listing)



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx