High PID, Strange ip range, 'Ghost' Process ?

Discussion in 'Port Explorer' started by Pho3NiXW0rlD, Jun 5, 2005.

Thread Status:
Not open for further replies.
  1. Pho3NiXW0rlD

    Pho3NiXW0rlD Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    5
    Well i just tryed Port explorer today and have some problem.
    Aside from the normal thing i kno i have,
    • I have 33 open socket with very high PID like between 303104 and 965633
    • There is no information about those process
    • Setting > show process as
      They do not have any 'exe Name'/'path information'/'file info'
    • They all use protocol 'other' (no udp/tcp)
    • They have strange local adress:
      0.0.0.0 (ok)
      0.127.0.0 (??)
      0.192.168.1 (??)

      That look to me like error in parsing.
      127.0.0.1 EXIST and is my comp
      192.168.1.50 EXIST and is my local IP

      so its like is the last number is erased and we add 0. in the front
    • They have strange remote adress:
      all in the 1.0.0.0 / 1.255.255.255 range
      except some are either
      0.0.0.0
      0.127.0.0
    • Theire is three group of local port
      1-32
      256-303
      12800-12807
    • None of those process pid are on any taskmanager
    • PE cannot close those process
      Error: Could not open the process
    • APT (another tool from diamondCS) cannot close those process
      (They do not show in the process list but we can close by PID)

    That is pretty much it
    I have install ProcessGard so i know wich process are launched
    I have disabled processGard before trying to kill process so PG will not block this attempt

    So well i have some doub that those are 'leftover' or incorrect information parsing from PE. Also there is another 'bug'. PE resolve 127.0.0.1 as acestats.com .. which i highly doubt it is. Probably acestats is the server they use to resolve IP.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  3. Pho3NiXW0rlD

    Pho3NiXW0rlD Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    5
    Thank you, this is exactly the same problem, however the fix proposed in this thread did not help me

    here's some part of the log

    Code:
    --------------------------------------------------------------------------------------------------------
    |  NAME  |   PID  | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS |
    --------------------------------------------------------------------------------------------------------
    |        | 303104 |   Other  |   localhost   |    1       |    localhost   |    0        |             |
    |        | 303104 |   Other  |   localhost   |    17      |    localhost   |    0        |             |
    |        | 379904 |   Other  |  0.192.168.1  |    12800   |    localhost   |    0        |             |
    |        | 379904 |   Other  |   0.127.0.0   |    256     |    localhost   |    0        |             |
    |        | 392192 |   Other  |   localhost   |    4       |  1.206.47.244  |    19968    |             |
    |        | 392192 |   Other  |   localhost   |    4       |  1.206.47.244  |    10752    |             |
    |        | 394241 |   Other  |  0.192.168.1  |    12804   |  1.64.233.161  |    37632    |             |
    |        | 394241 |   Other  |   0.127.0.0   |    303     |    1.127.0.0   |    260      |             |
    |        | 394241 |   Other  |  0.192.168.1  |    12804   |  1.64.233.161  |    27136    |             |
    |        | 394241 |   Other  |  0.192.168.1  |    12804   |   1.64.91.226  |    61696    |             |
    |        | 394241 |   Other  |  0.192.168.1  |    12804   |  1.38.116.157  |    33792    |             |
    |        | 394241 |   Other  |  0.192.168.1  |    12804   |  1.207.171.166 |    9472     |             |
    |        | 394241 |   Other  |  0.192.168.1  |    12804   |  1.64.233.161  |    25344    |             |
    |        | 394241 |   Other  |  0.192.168.1  |    12804   |   1.64.86.89   |    2304     |             |
    |        | 394241 |   Other  |  0.192.168.1  |    12804   |  1.209.59.128  |    49408    |             |
    |        | 400384 |   Other  |   0.127.0.0   |    263     |    localhost   |    0        |             |
    |        | 400384 |   Other  |  0.192.168.1  |    12807   |    localhost   |    0        |             |
    |        | 510976 |   Other  |   localhost   |    12      |    localhost   |    0        |             |
    |        | 562176 |   Other  |   0.127.0.0   |    260     |  1.64.233.161  |    27136    |             |
    |        | 562177 |   Other  |  0.192.168.1  |    12804   |  1.64.233.161  |    27392    |             |
    |        | 562177 |   Other  |   0.127.0.0   |    260     |    1.127.0.0   |    260      |             |
    |        | 562177 |   Other  |   0.127.0.0   |    260     |   1.64.91.226  |    61696    |             |
    |        | 562177 |   Other  |   0.127.0.0   |    260     |  1.64.233.161  |    37632    |             |
    |        | 562177 |   Other  |   0.127.0.0   |    260     |  1.207.171.166 |    9472     |             |
    |        | 562177 |   Other  |   0.127.0.0   |    260     |   1.64.86.89   |    2304     |             |
    |        | 562177 |   Other  |   0.127.0.0   |    260     |  1.64.233.161  |    25344    |             |
    |        | 562177 |   Other  |   0.127.0.0   |    260     |  1.209.59.128  |    49408    |             |
    |        | 562177 |   Other  |   localhost   |    4       |    0.127.0.0   |    256      |             |
    |        | 652289 |   Other  |   0.127.0.0   |    260     |    1.127.0.0   |    260      |             |
    |        | 652289 |   Other  |  0.192.168.1  |    12804   |  1.64.233.161  |    26880    |             |
    |        | 794625 |   Other  |  0.192.168.1  |    12804   |  1.207.46.236  |    6144     |             |
    |        | 892928 |   Other  |   localhost   |    32      |    localhost   |    0        |             |
    |        | 894976 |   Other  |   localhost   |    22      |    localhost   |    0        |             |
    |        | 917504 |   Other  |   localhost   |    4       |    localhost   |    0        |             |
    |        | 917504 |   Other  |  0.192.168.1  |    13045   |   1.192.168.1  |    263      |             |
    |        | 917505 |   Other  |  0.192.168.1  |    12804   |  1.207.68.178  |    4096     |             |
    |        | 917505 |   Other  |  0.192.168.1  |    12804   |  1.65.182.102  |    2816     |             |
    |        | 917505 |   Other  |  0.192.168.1  |    12804   |   1.207.46.0   |    19975    |             |
    |        | 917505 |   Other  |  0.192.168.1  |    12804   |   1.65.54.157  |    18176    |             |
    --------------------------------------------------------------------------------------------------------
    
    
    here's an hijackthis log if it can be in any way usefull

    Code:
    Logfile of HijackThis v1.99.0
    Scan saved at 09:28:42, on 2005-06-06
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Aquarius Soft\PC Shutdown\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\web\mysql\bin\mysqld-nt.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ProcessGuard\pgaccount.exe
    C:\Program Files\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
    C:\Program Files\Abyss Web Server\abyssws.exe
    C:\Program Files\Abyss Web Server\abyssws.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\ProcessGuard\procguard.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Port Explorer\PortExplorer.exe
    C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
    C:\Documents and Settings\JC\Desktop\HijackThis.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files\Zend\bin\ZendIEToolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
    O4 - HKLM\..\Run: [RegDefend] "C:\Program Files\RegDefend\regdefend.exe" -minimize
    O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
    O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\JC\Application Data\Mozilla\Firefox\Profiles\default.isj\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\JC\Application Data\Mozilla\Firefox\Profiles\default.isj\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
    O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\bin\ZendIEToolbar.dll/DebugCurrent.html
    O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\bin\ZendIEToolbar.dll/DebugNext.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PrivacyExpert\Blocker.dll (file missing)
    O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PrivacyExpert\Blocker.dll (file missing)
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Zend\bin\ZendIEToolbar.dll
    O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Zend\bin\ZendIEToolbar.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Correcteur - {F7C8E5F6-B6D1-45db-8D91-2BCFA5DF11A9} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote K - IE 6.htm
    O9 - Extra button: Dictionnaire - {FB4AE6A3-EE20-442c-9189-251885352358} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote D - IE 6.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Synonymes - {FDD637F8-2693-49ce-817E-1AD59574900C} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote S - IE 6.htm
    O9 - Extra button: Conjugueur - {FF229BEC-9E1F-48c1-99A6-AF34ABEFAB0A} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote C - IE 6.htm
    O9 - Extra button: Grammaire - {FFB5EE7F-726F-423e-83C2-572FE7CEB3F0} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote G - IE 6.htm
    O9 - Extra button: Correcteur - {F7C8E5F6-B6D1-45db-8D91-2BCFA5DF11A9} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote K - IE 6.htm (HKCU)
    O9 - Extra button: Dictionnaire - {FB4AE6A3-EE20-442c-9189-251885352358} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote D - IE 6.htm (HKCU)
    O9 - Extra button: Synonymes - {FDD637F8-2693-49ce-817E-1AD59574900C} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote S - IE 6.htm (HKCU)
    O9 - Extra button: Conjugueur - {FF229BEC-9E1F-48c1-99A6-AF34ABEFAB0A} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote C - IE 6.htm (HKCU)
    O9 - Extra button: Grammaire - {FFB5EE7F-726F-423e-83C2-572FE7CEB3F0} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote G - IE 6.htm (HKCU)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F48F2589-F4EB-4D27-9D8E-0365A8787BFD}: NameServer = 206.47.244.78,206.47.244.42
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Aquarius Soft PC Shutdown NT Service - Aquarius Soft - C:\Program Files\Aquarius Soft\PC Shutdown\svchost.exe
    O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: DiamondCS Process Guard Service v3.000 - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NOD32 Kernel Service - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
    O23 - Service: O&O CleverCache Pro - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    
    
     
    Last edited: Jun 6, 2005
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again,
    a few first impressions/questions:
    You didn't use the latest version of HJT.
    C:\Program Files\Aquarius Soft\PC Shutdown\svchost.exe
    Should this run normally from the windows\system32 folder?
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    Could this do nasty things as i thought it could contain lop.com?
    O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PrivacyExpert\Blocker.dll (file missing)
    O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PrivacyExpert\Blocker.dll (file missing)
    As the file is missing you can fix that one.
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F48F2589-F4EB-4D27-9D8E-0365A8787BFD}: NameServer = 206.47.244.78,206.47.244.42
    Do you know this domain?

    More analysis is needed.
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Pho3NiXW0rlD

    Have you tried using a packet sniffer like Ethereal to see what may, or may not, be going on in the way of communications.

    Regards,

    CrazyM
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    acestats.com resolves to 213.228.214.65 ? It's a website stats counter, it can happen you were on a page where that was used and the socket is not dropped yet. If you rightclick on them you will get in the menu the what is 127.0.0.1 option in such cases.

    Is your HOSTS file ok?

    Does the Socket spy on those processes unveil any info too?
    Does ethereal add to the info like CrazyM asked? (thanks for dropping in!)

    BTW: For the HJT please get the latest version of HJT and post that one.
     
    Last edited: Jun 7, 2005
  7. Pho3NiXW0rlD

    Pho3NiXW0rlD Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    5
    Ok those two IP are what i have set as dns server (provided by isp)

    You are prompted a screen and you choose to install it or not, the screen is very clear and it's in no way design to fool you.

    Ok done

    well this is is a commercial pc shutdown planing software
    the only thing i dont like about them is that they decided to use a process name already in use by the OS


    I'm doing additional research on my situation
    My host is perfect

    Even if i disable all my internet connection i have those runing:
    Code:
    ------------------------------------------------------------------------------------------------------------------------------
    |   NAME    |     CREATION     |   PID  | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS |
    ------------------------------------------------------------------------------------------------------------------------------
    |           | 09:50 06/06/2005 | 304128 |   Other  |    0.0.0.0    |    1       |     0.0.0.0    |    0        |             |
    |           | 09:50 06/06/2005 | 304128 |   Other  |    0.0.0.0    |    17      |     0.0.0.0    |    0        |             |
    |           | 09:51 06/06/2005 | 624640 |   Other  |    0.0.0.0    |    32      |     0.0.0.0    |    0        |             |
    |           | 09:51 06/06/2005 | 626688 |   Other  |    0.0.0.0    |    22      |     0.0.0.0    |    0        |             |
    |           | 09:50 06/06/2005 | 372736 |   Other  |   0.127.0.0   |    256     |     0.0.0.0    |    0        |             |
    |           | 09:51 06/06/2005 | 399360 |   Other  |   0.127.0.0   |    263     |     0.0.0.0    |    0        |             |
    |           | 09:52 06/06/2005 | 685056 |   Other  |   0.127.0.0   |    260     |     0.0.0.0    |    0        |             |
    |           | 09:52 06/06/2005 | 695296 |   Other  |   0.127.0.0   |    291     |     0.0.0.0    |    0        |             |
    |           | 09:51 06/06/2005 | 466945 |   Other  |   0.127.0.0   |    260     |    0.127.0.0   |    260      |             |
    |           | 09:54 06/06/2005 | 185344 |   Other  |   0.127.0.0   |    260     |    1.127.0.0   |    260      |             |
    |           | 09:52 06/06/2005 | 676865 |   Other  |   0.127.0.0   |    260     |    1.127.0.0   |    291      |             |
    |           | 09:52 06/06/2005 | 685057 |   Other  |   0.127.0.0   |    260     |    1.127.0.0   |    260      |             |
    |           | 09:52 06/06/2005 | 695297 |   Other  |   0.127.0.0   |    291     |    1.127.0.0   |    260      |             |
    ------------------------------------------------------------------------------------------------------------------------------
    
    There seem to be a link between normal process and ghost ones ... as the ghost never changes states.. unless i kill a normal process

    Eg i close a legitimate process and one of the gost close itself

    [edit]

    as requested
    hijackthis 1.99.1log
    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 20:29:26, on 2005-06-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Aquarius Soft\PC Shutdown\svchost.exe
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ProcessGuard\pgaccount.exe
    C:\Program Files\RegDefend\regdefend.exe
    C:\Program Files\RegDefend\regdefend.exe
    C:\Program Files\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
    C:\Program Files\Abyss Web Server\abyssws.exe
    C:\Program Files\Abyss Web Server\abyssws.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ProcessGuard\procguard.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\JC\LOCALS~1\Temp\Rar$EX00.682\HijackThis.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files\Zend\bin\ZendIEToolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
    O4 - HKLM\..\Run: [RegDefend] "C:\Program Files\RegDefend\regdefend.exe" -minimize
    O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
    O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\JC\Application Data\Mozilla\Firefox\Profiles\default.isj\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\JC\Application Data\Mozilla\Firefox\Profiles\default.isj\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
    O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\bin\ZendIEToolbar.dll/DebugCurrent.html
    O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\bin\ZendIEToolbar.dll/DebugNext.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Zend\bin\ZendIEToolbar.dll
    O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Zend\bin\ZendIEToolbar.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Correcteur - {F7C8E5F6-B6D1-45db-8D91-2BCFA5DF11A9} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote K - IE 6.htm
    O9 - Extra button: Dictionnaire - {FB4AE6A3-EE20-442c-9189-251885352358} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote D - IE 6.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Synonymes - {FDD637F8-2693-49ce-817E-1AD59574900C} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote S - IE 6.htm
    O9 - Extra button: Conjugueur - {FF229BEC-9E1F-48c1-99A6-AF34ABEFAB0A} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote C - IE 6.htm
    O9 - Extra button: Grammaire - {FFB5EE7F-726F-423e-83C2-572FE7CEB3F0} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote G - IE 6.htm
    O9 - Extra button: Correcteur - {F7C8E5F6-B6D1-45db-8D91-2BCFA5DF11A9} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote K - IE 6.htm (HKCU)
    O9 - Extra button: Dictionnaire - {FB4AE6A3-EE20-442c-9189-251885352358} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote D - IE 6.htm (HKCU)
    O9 - Extra button: Synonymes - {FDD637F8-2693-49ce-817E-1AD59574900C} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote S - IE 6.htm (HKCU)
    O9 - Extra button: Conjugueur - {FF229BEC-9E1F-48c1-99A6-AF34ABEFAB0A} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote C - IE 6.htm (HKCU)
    O9 - Extra button: Grammaire - {FFB5EE7F-726F-423e-83C2-572FE7CEB3F0} - C:\PROGRA~1\Druide\Antidote\Antidote\Internet Explorer\6\Antidote G - IE 6.htm (HKCU)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F48F2589-F4EB-4D27-9D8E-0365A8787BFD}: NameServer = 206.47.244.78,206.47.244.42
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Aquarius Soft PC Shutdown NT Service - Aquarius Soft - C:\Program Files\Aquarius Soft\PC Shutdown\svchost.exe
    O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
    O23 - Service: O&O CleverCache Pro (OOCleverCache) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    
    I'LL go play with etherral and repost here
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for explaining.
    I wonder: normally with an UDP process / socket you will see it's TCP partner as well, so with your description it seems the Other belongs to it too?
    I look on my system at
    vsmon.exe PID 1008 Other localhost port 0 192.168.0.1 port 0
    vsmon.exe PID 1008 UDP localhost 1028 *.*.*.* port 0
    *vsmon.exe PID 1008 TCP localhost 1028 localhost port 0
    For other processes / sockets i could imagine some netstatsockets in the list.
    But then still i don't feel good with the garbled IP adresses and no names in your case.
    Does the Socket Spy show any data on them in your case?

    BTW: to make sure there is no software conflict, have you tried to temporary close the other protection one by one and looked at Port Explorer for differences?
    I am searching for the other recent thread about the sockets still showing while they are dead already. This because you have several connections on one port showing, which should not be possible if all are alive at the same moment.
    For this reason the packet sniffing is important.
    This does not explain the garbled IP addresses yet nor the high IP range and maybe it is logical there is no process name anymore if they are dead already and there is no process anymore.

    I see it when i open the CryptoSuite chat as a cklient and connection drops, i still see the icon and socket, even after reconnecting i get the same PID on them and new time of creation, but the old dropped socket is still there. Those older sockets even are on the same port but there is no data on them -- hence your packet sniffing comes into question here.
    Only when i close CryptoSuite completely all those older sockets disappear completely with that. It reminds me of your description.
     
    Last edited: Jun 8, 2005
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Pho3NiXW0rlD,

    I'd be inclined to suspect a corrupt Port Explorer install or a conflict with other software since these results just do not appear to be valid (IP addresses ending in 0 refer to networks normally rather than single machines, the process numbers are too high and presumably don't match those shown in Task Manager or Process Explorer and normally only one process should own an open port).

    If you have not already tried it, I'd suggest an uninstall/reinstall (with your PC disconnected from the Internet and ensuring that you disable PG and anti-virus/trojan scanners during this time). I'd also suggest following this Minimizing Windows network services guide to lessen the number of network connections made by svchost.
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Protocol : Other.. there's the problem I feel. Some strange protocols couldn't be supported, is there any reason this could be the case ?

    But first the obvious..
    This is AFTER a reboot I take it ? you need a reboot after install
    There wasn't an old version installed was there ? if you try to upgrade and have the OLD dcsws2.dll and the NEW PE executable, you will see a problem like this..
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So it could be possible the old dll was not properly unregistered for the new install in that case.

    Pilli told me to think af a LSPfix / check as well.
     
  12. Pho3NiXW0rlD

    Pho3NiXW0rlD Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    5
    There where many request for me to use socketspy and sniff packet ...
    I let The socket spy open four a couple hours and nothing get thru.

    If as someone mensioned they are 'dead' connection
    Maybee it's normal to not capt anthing.
    I dont have more chance with etheral.
    I'll go into the process of cleaning the file curently installed and reinstall PE
    I already have disabled others means of protection.

    Good news is that in safe mode i have no garbage data ... so well there'S a litlle of hope :)

    i'll read and apply your limit svchost connection link.
    i also realised that each time i start PE on a fresly booted machine, there's 3 svchost process that are created

    sorry for not being more active here ... i have alot of thing to do now
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.