hidden process - a trojan?

Kev · Post by **Kev** » Wed Jan 07, 2004 2:15 pm

hi there, just installed ip-tools for the first time. i am very impressed so far but i have found something that has worried me...

in the connections list appears a particular connection that looks suspect. it is a tcp connection to a machine i do not recognise... to make things worse it cannot name the process but instead says ???:2416 under process ID. this pid does not appear in task manager, in sysinernals process monitor, in hacker eliminator, or in security task maanger - all apps i have installed specifically to try and track down this process. nothing else i have tried can even find it... except that pskill (part of sysinternals pstools) will report that it cannot kill the process because access is denied. how can i nail this process down? why can i not find it in any other process listing?!

it connects internally to port 2237 and remotely to port 3884... the status is LAST_ACK (unlike any other) and the suspect remote address is c-65-34-161-58.se.client2.attbi.com. could this be the address of a hacker who has my machine under remote control with process 2416?! and if so what the hell can i do about it?!!!

i would be most grateful if someone could help me with this!!

KS-Soft · Post by **KS-Soft** » Wed Jan 07, 2004 8:36 pm

I assume you are using Windows XP?
Theoretically IP-Tols can display "???" instead name of the process when process already terminated. "LAST_ACK" means that connection (almost) closed, Windows just is waiting for acknowledgment. So, process terminated but Windows still have information about connection that was used by some process.
That's why other programs do not display this process at all.

it connects internally to port 2237 and remotely to port 3884... the status is LAST_ACK (unlike any other) and the suspect remote address is c-65-34-161-58.se.client2.attbi.com. could this be the address of a hacker who has my machine under remote control with process 2416?! and if so what the hell can i do about it?!!!

If you did not call this address, yes it could be some trojan. However I did not find any useful information about what program can use 2237 and 3884 ports.
I think you should enable "save to log file" option (Connection Monitor page in the Options dialog) and check what process uses/used connection.

Regards
Alex

Kev · Post by **Kev** » Thu Jan 08, 2004 3:43 am

hi alex, thanks for your help. sorry i should have mentioned my os version - yes i am on xp.... also on a lan and behind a firewall which makes this connection seem even more suspect...

so when can i expect this connection to end? it is still there waiting for acknowledgement. i will turn on logging and try and catch some more info...

in the meantime thanks again for your help

kev

KS-Soft · Post by **KS-Soft** » Thu Jan 08, 2004 8:59 pm

so when can i expect this connection to end? it is still there waiting for acknowledgement.

Actually its already closed. OS (Windows) should not wait forewer, after some timeout it should drop connection and release resources even in case final aknowlegment was not received. Looks like Windows "forgot" to do this, sometimes its happen.

Regards
Alex

paolari · Post by **paolari** » Wed Jun 03, 2009 5:57 am

My computer has the antivermin trojan how do i get rid of it ?
I tried the prevx1 site based on an answer with good feedback, but after i downloaded it i could not navigate to any site, does the trojan know im trying to get rid of it? When i removed prevx1 i could then navigate.
_____________
external keyword tool ~ keyworddiscovery.com ~ keycompete.com ~ compete.com ~ webmasterworld.com

KS-Soft Europe · Post by **KS-Soft Europe** » Wed Jun 03, 2009 6:06 am

I think, you may ask antivirus developers, like Symantec or McAfee or other. We develop neither antivirus nor trojan removal programs. We develop network monitoring software.

I would suggest you to take a look at the following articles: http://www.google.com/search?hl=en&clie ... f&oq=&aqi=

Regards,
Max