Something on my system is trying to connect to outside. But what???

  • Thread starter Thread starter Frank Dreyfus
  • Start date Start date
F

Frank Dreyfus

Hi,

Some process is making repeated attempts (every 5 seconds or so) to
connect to ip: 216.168.41.231 TCP ports 135 and 524.

That ip appears to belong to Digital Forest in Seattle, WA. Digital
Forest appears to be a web hosting company.

My firewall is blocking these attempts. It's the firewall log that
alerted me to this situation.

I'd like to kill the process that's doing this, but have no idea how to
find the process. Netstat is no help b/c there is no open connection;
just an attempt.

Any ideas how to track this down?

Thanks,


Frank
 
From: "Frank Dreyfus" <[email protected]>

| Hi,
|
| Some process is making repeated attempts (every 5 seconds or so) to
| connect to ip: 216.168.41.231 TCP ports 135 and 524.
|
| That ip appears to belong to Digital Forest in Seattle, WA. Digital
| Forest appears to be a web hosting company.
|
| My firewall is blocking these attempts. It's the firewall log that
| alerted me to this situation.
|
| I'd like to kill the process that's doing this, but have no idea how to
| find the process. Netstat is no help b/c there is no open connection;
| just an attempt.
|
| Any ideas how to track this down?
|
| Thanks,
|
| Frank
|

Start by downloading the Sysinternals TCPView GUI utility. This utility will show what
process is trying to connect to the Internet.

http://download.sysinternals.com/Files/TcpView.zip
 
Start by downloading the Sysinternals TCPView GUI utility.
Click to expand...

Thanks!

A very handy utility indeed.

For future users with this issue...

It turned out to be HPBPRO.exe. An HP utility installed along with the
printer driver. It doesn't appear to be needed at all and some users
have found that it consumes 100% CPU time when it runs (that's every 5
seconds!).

See here: http://forums12.itrc.hp.com/service/forums/questionanswer.do?
admit=109447627+1211341805724+28353475&threadId=370850

for a discussion and methods for disabling it. I used John Fleming's
method and it seems to work perfectly.

Don't know why they install this stuff in the first place.

Thanks for your help,


Frank
 
From: "Frank Dreyfus" <[email protected]>

| Hi,
|
| Some process is making repeated attempts (every 5 seconds or so) to
| connect to ip: 216.168.41.231 TCP ports 135 and 524.
|
| That ip appears to belong to Digital Forest in Seattle, WA.  Digital
| Forest appears to be a web hosting company.
|
| My firewall is blocking these attempts.  It's the firewall log that
| alerted me to this situation.
|
| I'd like to kill the process that's doing this, but have no idea how to
| find the process.  Netstat is no help b/c there is no open connection;
| just an attempt.
|
| Any ideas how to track this down?
|
| Thanks,
|
| Frank
|

Start by downloading the Sysinternals TCPView GUI utility.  This utilitywill show what
process is trying to connect to the Internet.

http://download.sysinternals.com/Files/TcpView.zip
Click to expand...

I used to use Active Ports.. and netstat for a snapshot..
But even then.
Suppose it says svchost.exe

Then what would -you-/readers do?
 
From: <[email protected]>


|
| I used to use Active Ports.. and netstat for a snapshot..
| But even then.
| Suppose it says svchost.exe
|
| Then what would -you-/readers do?

If the communication is not from a separete EXE file then you have to determine what is
loaded into the OS through a utility such as Process Explorer. You would suspend processes
until the communication stops and then isolate the process. Then you have a clue to what
the actual process is and you can then delve into what modules are loaded by that process.
Not easy for a beginner.
 
From: <[email protected]>

|
| I used to use Active Ports..  and netstat for a snapshot..
| But even then.
| Suppose it says svchost.exe
|
| Then what would -you-/readers do?

If the communication is not from a separete EXE file then you have to determine what is
loaded into the OS through a utility such as Process Explorer.  You would suspend processes
until the communication stops and then isolate the process.  Then you have a clue to what
the actual process is and you can then delve into what modules are loaded by that process.
Not easy for a beginner.

--
Click to expand...

ok... I see the process is for techies.. no problem, most here are
techies.. Just warn the non-techies!


your method sounds a bit better than the one I have seen. The method I
saw was using "sysinternals" process explorer, see what DLLs are using
the process. If one looked suspicious e.g. it was called
skjfdfd.dll !!!! Then rename the dll. And looking at the company
listed as publisher - though that can be spoofed.

(of course, renaming a dll in use, is like the methods of deleting an
"undeletable" file. unlocker, safe mode. If all else fails - bart pe
will do it without any difficulty. )

I guess when you say isolate and suspend processes (to find the
cultprit process), you mean suspend the dll. Since really it is only
one EXE/process that is being used/abused/hijacled.

How would you "suspend the process" ?
 
From: <[email protected]>


|
| ok... I see the process is for techies.. no problem, most here are
| techies.. Just warn the non-techies!
|
| your method sounds a bit better than the one I have seen. The method I
| saw was using "sysinternals" process explorer, see what DLLs are using
| the process. If one looked suspicious e.g. it was called
| skjfdfd.dll !!!! Then rename the dll. And looking at the company
| listed as publisher - though that can be spoofed.
|
| (of course, renaming a dll in use, is like the methods of deleting an
| "undeletable" file. unlocker, safe mode. If all else fails - bart pe
| will do it without any difficulty. )
|
| I guess when you say isolate and suspend processes (to find the
| cultprit process), you mean suspend the dll. Since really it is only
| one EXE/process that is being used/abused/hijacled.
|
| How would you "suspend the process" ?

Using Process Explorer, Right-Click on the process and choose Suspend.

Now in a case of a DLL such as; skjfdfd.dll
You would want to determine the loading vector and fully qualified name and path.

Example FQN: %windir%\system32\skjfdfd.dll

You can search the Registry for; skjfdfd.dll and thus find the loading vector.

The Systinternal utility AutoRuns can also be used.
http://download.sysinternals.com/Files/Autoruns.zip

Lets sys it uses Winlogin/Notify to load.

Example:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\skjfdfd

You can try to delete the key. Chances are it is protecting itself and you can't delete
that key but you can try. If you are successful, you can then reboot the PC and delete the
DLL. If the key (in the example) Winlogon\Notify\skjfdfd could NOT be deleted then you can
boot into the Recovery Console and logon as Administrator.

In the Recovery Console you can the rename/delete the file %windir%\system32\skjfdfd.dll
and then reboot.

NOTE: The above is NOT all inclusive. They are variations to the above approach and
possible additional steps.
 
From: <[email protected]>

|
| ok... I see the process is for techies.. no problem,  most here are
| techies.. Just warn the non-techies!
|
| your method sounds a bit better than the one I have seen. The method I
| saw was using "sysinternals" process explorer, see what DLLs are using
| the process.  If one looked suspicious e.g. it was called
| skjfdfd.dll !!!! Then rename the dll. And looking at the company
| listed as publisher - though that can be spoofed.
|
| (of course, renaming a dll in use, is like the methods of deleting an
| "undeletable" file. unlocker, safe mode. If all else fails - bart pe
| will do it without any difficulty. )
|
| I guess when you say isolate and suspend processes (to find the
| cultprit process), you mean suspend the dll.  Since really it is only
| one EXE/process that is being used/abused/hijacled.
|
| How would you "suspend the process" ?

Using Process Explorer, Right-Click on the process and choose Suspend.

Now in a case of a DLL such as;  skjfdfd.dll
You would want to determine the loading vector and fully qualified name and path.

Example FQN:  %windir%\system32\skjfdfd.dll

You can search the Registry for;  skjfdfd.dll and thus find the loading vector.

The Systinternal utility AutoRuns can also be used.http://download.sysinternals.com/Files/Autoruns.zip

Lets sys it uses Winlogin/Notify to load.

Example:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\skjfdfd

You can try to delete the key.  Chances are it is protecting itself and you can't delete
that key but you can try.  If you are successful, you can then reboot the PC and delete the
DLL.  If the key (in the example) Winlogon\Notify\skjfdfd could NOT be deleted then you can
boot into the Recovery Console and logon as Administrator.

In the Recovery Console you can the rename/delete the file  %windir%\system32\skjfdfd.dll
and then reboot.

NOTE:  The above is NOT all inclusive.  They are variations to the above approach and
possible additional steps.
Click to expand...

that's a great post..

Are there any forums that have descriptions like this, which
collectively, are fairly all-inclusive ?
 
From: <[email protected]>


|
| that's a great post..
|
| Are there any forums that have descriptions like this, which
| collectively, are fairly all-inclusive ?

Such discussions go on in various spyware and virus related news groups.
 
Back
Top