IchBin wrote:
IchBin wrote:
IchBin wrote:
Guy Harris wrote:
On Jul 13, 2007, at 5:19 PM, Guy Harris wrote:
(Its output resembles that of netstat, probably intentionally. I
don't know whether any UN*Xes have tools such as that, i.e. either a
command-line or graphical netstat-plus-process-name - probably some
do.)
A Linux netstat man page at
http://linux.die.net/man/8/netstat
indicates that there's a "--process" flag that shows the process ID
and process name (probably the first N characters of the last
component of the executable name, or something such as that) of the
process that owns the socket; you have to be super-user to get that
for processes not your own.
lsof might also be able to get some information of that sort on some
UN*Xes.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
Thanks Guy for the info. On windows the format is "Netstat -b". I do not
see any associated program that started the connection. I suspect that
programs that monitor the IP processes like WhatsRunning and System
internals, under windows, are just issuing Netstat commands and then
capturing the output and display their own display window. At least that
is what I have done in the pass when writing that type of interface
using Java.
[SNIP]
Again, thanks to you all of your guidance in this thread. This could be
a mute issue since I am building a new computer and plan to use a
different and newer windows OS. That is, WinXP SP Pro 64bit which may
open another can of worms so to speaks
Well after looking around and looking at SmitfraudFix output I see
something that is not correct.
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2
DNS Server Search Order: 68.87.64.146
DNS Server Search Order: 68.87.75.194
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2
DNS Server Search Order: 68.87.64.146
DNS Server Search Order: 68.87.75.194
HKLM\SYSTEM\CCS\Services\Tcpip\..\{83A9FF0F-296C-4D45-A153-6B8A6AFF8BCE}:
DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222
,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8A153A46-7E4A-44EE-8443-D1D0EA855ABD}:
DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E55D5B3A-6EDC-4FC0-9E4B-6EEA562E9F44}:
DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CS1\Services\Tcpip\..\{83A9FF0F-296C-4D45-A153-6B8A6AFF8BCE}:
DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222
,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8A153A46-7E4A-44EE-8443-D1D0EA855ABD}:
DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E55D5B3A-6EDC-4FC0-9E4B-6EEA562E9F44}:
DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CS3\Services\Tcpip\..\{83A9FF0F-296C-4D45-A153-6B8A6AFF8BCE}:
DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222
,207.68.160.190 194.25.2.129 208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8A153A46-7E4A-44EE-8443-D1D0EA855ABD}:
DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E55D5B3A-6EDC-4FC0-9E4B-6EEA562E9F44}:
DhcpNameServer=68.87.64.146 68.87.75.194
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146
68.87.75.194
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146
68.87.75.194
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146
68.87.75.194
Not sure why these IP address are defined as a DhcpNameServer in the
windows registry (Not Comcast):
207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129
208.67.222.222
Not sure how to get rid of them either. Instructions I see about these
setting is to avoid changing them. Which does not make sense since I do
not think they should be there in the first place. Not realy sure if
this is apart of any problems I am having but does not look right. Guess
I need to know the implications of having them defined to DhcpNameServer.
Just wanted to close this thread with a happy ending. I finally resolved
it yesterday. Long story short it did turn out to be Trojans. Its just
that the four virus programs, I run all of the time, never pick them up.
Once I had the 4 Trojan names I still could only find a few references
aka Google Search. So I guess they are fairly new ones. Oh the program
that caught them is a free one and is called 'AVG Free Advisor',
http://free.grisoft.com. I happen to find it mentioned in the forums and
newsgroups I visited trying to determine what type of software problem I
had.
You all where right about the ARP traffic. That is, ARP broadcasts were
taking very little bandwidth. and that was normal volume. Well not
being a network person I just had a hard time reconciling the light on
my cable modem being lit on all of the time and I was not
downloading\uploading anything. It was not the ARP traffic but the other
"Call HOME" traffic.
When I use Wireshark now to look at my network card I see the same ARP
traffic load but the modem light goes only only sparingly. I think that
is just the handshaking with the DHCP server.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
Not sure if any one is interested but these are the Trojans I found on
my machine:
Trojan horse SHeur.ND
Trojan horse BackDoor.Generic7.IZY
Trojan horse Generic5.GUH
Trojan horse BackDoor.Generic6.CQH
--
Thanks in Advance... http://weconsulting.org
IchBin, Philadelphia, Pa, USA http://ichbinquotations.weconsulting.org
______________________________________________________________________
'If there is one, Knowledge is the "Fountain of Youth"'
-William E. Taylor, Regular Guy (1952-)
