hi there, just installed ip-tools for the first time. i am very impressed so far but i have found something that has worried me...
in the connections list appears a particular connection that looks suspect. it is a tcp connection to a machine i do not recognise... to make things worse it cannot name the process but instead says ???:2416 under process ID. this pid does not appear in task manager, in sysinernals process monitor, in hacker eliminator, or in security task maanger - all apps i have installed specifically to try and track down this process. nothing else i have tried can even find it... except that pskill (part of sysinternals pstools) will report that it cannot kill the process because access is denied. how can i nail this process down? why can i not find it in any other process listing?!
it connects internally to port 2237 and remotely to port 3884... the status is LAST_ACK (unlike any other) and the suspect remote address is c-65-34-161-58.se.client2.attbi.com. could this be the address of a hacker who has my machine under remote control with process 2416?! and if so what the hell can i do about it?!!!
i would be most grateful if someone could help me with this!!
hidden process - a trojan?
I assume you are using Windows XP?
Theoretically IP-Tols can display "???" instead name of the process when process already terminated. "LAST_ACK" means that connection (almost) closed, Windows just is waiting for acknowledgment. So, process terminated but Windows still have information about connection that was used by some process.
That's why other programs do not display this process at all.
I think you should enable "save to log file" option (Connection Monitor page in the Options dialog) and check what process uses/used connection.
Regards
Alex
Theoretically IP-Tols can display "???" instead name of the process when process already terminated. "LAST_ACK" means that connection (almost) closed, Windows just is waiting for acknowledgment. So, process terminated but Windows still have information about connection that was used by some process.
That's why other programs do not display this process at all.
If you did not call this address, yes it could be some trojan. However I did not find any useful information about what program can use 2237 and 3884 ports.it connects internally to port 2237 and remotely to port 3884... the status is LAST_ACK (unlike any other) and the suspect remote address is c-65-34-161-58.se.client2.attbi.com. could this be the address of a hacker who has my machine under remote control with process 2416?! and if so what the hell can i do about it?!!!
I think you should enable "save to log file" option (Connection Monitor page in the Options dialog) and check what process uses/used connection.
Regards
Alex
hi alex, thanks for your help. sorry i should have mentioned my os version - yes i am on xp.... also on a lan and behind a firewall which makes this connection seem even more suspect...
so when can i expect this connection to end? it is still there waiting for acknowledgement. i will turn on logging and try and catch some more info...
in the meantime thanks again for your help
kev
so when can i expect this connection to end? it is still there waiting for acknowledgement. i will turn on logging and try and catch some more info...
in the meantime thanks again for your help
kev
Actually its already closed. OS (Windows) should not wait forewer, after some timeout it should drop connection and release resources even in case final aknowlegment was not received. Looks like Windows "forgot" to do this, sometimes its happen.so when can i expect this connection to end? it is still there waiting for acknowledgement.
Regards
Alex
My computer has the antivermin trojan how do i get rid of it ?
I tried the prevx1 site based on an answer with good feedback, but after i downloaded it i could not navigate to any site, does the trojan know im trying to get rid of it? When i removed prevx1 i could then navigate.
_____________
external keyword tool ~ keyworddiscovery.com ~ keycompete.com ~ compete.com ~ webmasterworld.com
I tried the prevx1 site based on an answer with good feedback, but after i downloaded it i could not navigate to any site, does the trojan know im trying to get rid of it? When i removed prevx1 i could then navigate.
_____________
external keyword tool ~ keyworddiscovery.com ~ keycompete.com ~ compete.com ~ webmasterworld.com
Last edited by paolari on Sat Jun 06, 2009 12:07 am, edited 1 time in total.
-
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
I think, you may ask antivirus developers, like Symantec or McAfee or other. We develop neither antivirus nor trojan removal programs. We develop network monitoring software.
I would suggest you to take a look at the following articles: http://www.google.com/search?hl=en&clie ... f&oq=&aqi=
Regards,
Max
I would suggest you to take a look at the following articles: http://www.google.com/search?hl=en&clie ... f&oq=&aqi=
Regards,
Max