KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

hidden process - a trojan?

 
Post new topic   Reply to topic    KS-Soft Forum Index -> IP-Tools
View previous topic :: View next topic  
Author Message
Kev



Joined: 07 Jan 2004
Posts: 2

PostPosted: Wed Jan 07, 2004 2:15 pm    Post subject: hidden process - a trojan? Reply with quote

hi there, just installed ip-tools for the first time. i am very impressed so far but i have found something that has worried me...

in the connections list appears a particular connection that looks suspect. it is a tcp connection to a machine i do not recognise... to make things worse it cannot name the process but instead says ???:2416 under process ID. this pid does not appear in task manager, in sysinernals process monitor, in hacker eliminator, or in security task maanger - all apps i have installed specifically to try and track down this process. nothing else i have tried can even find it... except that pskill (part of sysinternals pstools) will report that it cannot kill the process because access is denied. how can i nail this process down? why can i not find it in any other process listing?!

it connects internally to port 2237 and remotely to port 3884... the status is LAST_ACK (unlike any other) and the suspect remote address is c-65-34-161-58.se.client2.attbi.com. could this be the address of a hacker who has my machine under remote control with process 2416?! and if so what the hell can i do about it?!!!

i would be most grateful if someone could help me with this!!
Back to top
View user's profile Send private message MSN Messenger
KS-Soft



Joined: 03 Apr 2002
Posts: 11782
Location: USA

PostPosted: Wed Jan 07, 2004 8:36 pm    Post subject: Reply with quote

I assume you are using Windows XP?
Theoretically IP-Tols can display "???" instead name of the process when process already terminated. "LAST_ACK" means that connection (almost) closed, Windows just is waiting for acknowledgment. So, process terminated but Windows still have information about connection that was used by some process.
That's why other programs do not display this process at all.

Quote:

it connects internally to port 2237 and remotely to port 3884... the status is LAST_ACK (unlike any other) and the suspect remote address is c-65-34-161-58.se.client2.attbi.com. could this be the address of a hacker who has my machine under remote control with process 2416?! and if so what the hell can i do about it?!!!


If you did not call this address, yes it could be some trojan. However I did not find any useful information about what program can use 2237 and 3884 ports.
I think you should enable "save to log file" option (Connection Monitor page in the Options dialog) and check what process uses/used connection.

Regards
Alex
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Kev



Joined: 07 Jan 2004
Posts: 2

PostPosted: Thu Jan 08, 2004 3:43 am    Post subject: Reply with quote

hi alex, thanks for your help. sorry i should have mentioned my os version - yes i am on xp.... also on a lan and behind a firewall which makes this connection seem even more suspect...

so when can i expect this connection to end? it is still there waiting for acknowledgement. i will turn on logging and try and catch some more info...

in the meantime thanks again for your help
kev
Back to top
View user's profile Send private message MSN Messenger
KS-Soft



Joined: 03 Apr 2002
Posts: 11782
Location: USA

PostPosted: Thu Jan 08, 2004 8:59 pm    Post subject: Reply with quote

Quote:
so when can i expect this connection to end? it is still there waiting for acknowledgement.


Actually its already closed. OS (Windows) should not wait forewer, after some timeout it should drop connection and release resources even in case final aknowlegment was not received. Looks like Windows "forgot" to do this, sometimes its happen.

Regards
Alex
Back to top
View user's profile Send private message Send e-mail Visit poster's website
paolari



Joined: 30 May 2009
Posts: 1

PostPosted: Wed Jun 03, 2009 5:57 am    Post subject: Reply with quote

My computer has the antivermin trojan how do i get rid of it ?
I tried the prevx1 site based on an answer with good feedback, but after i downloaded it i could not navigate to any site, does the trojan know im trying to get rid of it? When i removed prevx1 i could then navigate.
_____________
external keyword tool ~ keyworddiscovery.com ~ keycompete.com ~ compete.com ~ webmasterworld.com


Last edited by paolari on Sat Jun 06, 2009 12:07 am; edited 1 time in total
Back to top
View user's profile Send private message
KS-Soft Europe



Joined: 16 May 2006
Posts: 2833

PostPosted: Wed Jun 03, 2009 6:06 am    Post subject: Reply with quote

I think, you may ask antivirus developers, like Symantec or McAfee or other. We develop neither antivirus nor trojan removal programs. We develop network monitoring software.

I would suggest you to take a look at the following articles: http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=CD&q=antivermin+remove&btnG=Search&aq=f&oq=&aqi=

Regards,
Max
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> IP-Tools All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index