«

I have been offline for awhile, so when windows update mandager realised I
had connectivity again, it spat up a long list of critical updates I
needed.
Fine.
Except the icon in sys tray disappeared after 10 minutes, however the modem
is still xferring data flat out, with no other web based applications
running.
My question is, "is the update manager still running, even tho the icon has
been removed from systray?"

TIA
Warwick

On Sat, 24 Jul 2004 14:51:27 +1200, Warwick wrote:

> I have been offline for awhile, so when windows update mandager realised I
> had connectivity again, it spat up a long list of critical updates I
> needed.
> Fine.
> Except the icon in sys tray disappeared after 10 minutes, however the modem
> is still xferring data flat out, with no other web based applications
> running.
> My question is, "is the update manager still running, even tho the icon has
> been removed from systray?"
>
> TIA
> Warwick

but wait theres more ....
I am not firewalled at present. appended is the output of netstat.
modem says 20 MB have been sent (!!!?) 8 MB have been rec'd.
Netstat indicates some kind of microsoft lunacy. What is microsoft-ds?

Update has clearly not been working, it turned itself off so I could better
send a heap of meaningless requests to someone - it is 8% complete after 2
and a half hours.

Despite the grief sygate caused I want to reinstall, however I can't get
enough bandwidth for the dload to start. Probably because of all the
bullshit below.

Active Connections

Proto Local Address Foreign Address State
TCP brass:1045 210-246-54-160.paradise.net.nz:microsoft-ds
TIME_WAIT
TCP brass:1091 210-246-54-160.paradise.net.nz:microsoft-ds
TIME_WAIT
TCP brass:1446 210-246-55-150.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1447 210-246-55-151.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1448 210-246-55-152.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1449 210-246-55-153.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1450 210-246-55-154.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1451 210-246-55-155.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1452 210-246-55-156.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1453 210-246-55-157.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1454 210-246-55-158.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1455 210-246-55-159.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1456 210.0.175.253:microsoft-ds SYN_SENT
TCP brass:1457 210-246-55-160.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1459 210-246-55-161.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1460 210-246-55-162.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1461 210-246-55-163.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1463 210-246-55-164.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1464 210-246-55-165.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1465 210.26.26.136:microsoft-ds SYN_SENT
TCP brass:1466 210-246-55-166.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1467 210-246-55-167.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1469 210-246-55-168.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1470 210-246-55-169.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1471 210-246-55-170.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1472 210-246-55-171.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1473 210-246-55-172.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1474 210-246-55-173.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1476 210-246-55-174.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1478 210-246-55-175.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1479 210-246-55-176.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1481 210-246-55-177.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1482 210-246-55-178.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1483 210-246-55-179.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1484 210-246-55-180.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1485 210-246-55-181.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1486 210-246-55-182.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1487 210-246-55-183.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1488 210-246-55-184.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1489 210-246-55-185.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1490 210-246-55-186.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1491 210.53.244.91:microsoft-ds SYN_SENT
TCP brass:1492 210-246-55-187.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1493 210-246-55-188.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1495 210-246-55-189.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1496 210-246-55-190.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1497 210-246-55-191.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1499 210-246-55-192.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1500 210-246-55-193.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1501 210.27.82.72:microsoft-ds SYN_SENT
TCP brass:1502 210.232.253.195:microsoft-ds SYN_SENT
TCP brass:1503 210.169.151.111:microsoft-ds SYN_SENT
TCP brass:1505 210-246-55-194.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1506 210.231.195.116:microsoft-ds SYN_SENT
TCP brass:1507 210-246-55-195.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1508 210-246-55-196.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1509 210.121.150.203:microsoft-ds SYN_SENT
TCP brass:1510 210-20-127-222.home.ne.jp:microsoft-ds
SYN_SENT
TCP brass:1511 210.184.147.11:microsoft-ds SYN_SENT
TCP brass:wins 210.191.205.142:microsoft-ds SYN_SENT
TCP brass:1514 210-246-55-197.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1515
NK210-202-44-154.vdsl.static.apol.com.tw:microsoft-ds SYN_SENT
TCP brass:1516 210-246-55-199.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1517 210-246-55-198.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1518 I023126.ppp.dion.ne.jp:microsoft-ds
SYN_SENT
TCP brass:1519 210-246-55-200.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1520 210.70.46.203:microsoft-ds SYN_SENT
TCP brass:1521 210-246-55-201.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1522 210-246-55-202.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1523 210.32.104.176:microsoft-ds SYN_SENT
TCP brass:ingreslock 210-246-55-203.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1526 210-246-55-204.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1527 210.41.124.72:microsoft-ds SYN_SENT
TCP brass:1528 210-246-55-205.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1529 210-246-55-206.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1530 210.32.127.219:microsoft-ds SYN_SENT
TCP brass:1531 210-246-55-207.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1532 210.137.51.18:microsoft-ds SYN_SENT
TCP brass:1533 210.185.226.39:microsoft-ds SYN_SENT
TCP brass:1534 210.82.125.83:microsoft-ds SYN_SENT
TCP brass:1535 210.33.233.2:microsoft-ds SYN_SENT
TCP brass:1536 210-246-55-208.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1537 210.2.111.171:microsoft-ds SYN_SENT
TCP brass:1538 210-246-55-209.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1539 210-246-55-210.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1540 210-246-55-211.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1541 210.27.14.60:microsoft-ds SYN_SENT
TCP brass:1542 210-246-55-212.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1543 210-246-55-213.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1544 210.145.150.105:microsoft-ds SYN_SENT
TCP brass:1546 210.144.181.16:microsoft-ds SYN_SENT
TCP brass:1547 210-246-55-214.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1548 E156064.ppp.dion.ne.jp:microsoft-ds
SYN_SENT
TCP brass:1549 210.37.172.51:microsoft-ds SYN_SENT
TCP brass:1550 210.121.179.228:microsoft-ds SYN_SENT
TCP brass:1551 210.186.105.191:microsoft-ds SYN_SENT
TCP brass:1553 210-246-55-216.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1554 210-246-55-215.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1555 210.87.16.27:microsoft-ds SYN_SENT
TCP brass:1556 210.4.97.83:microsoft-ds SYN_SENT
TCP brass:1557 210-246-55-217.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1558 210-246-55-218.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1559 210.186.181.12:microsoft-ds SYN_SENT
TCP brass:1560 210.187.94.128:microsoft-ds SYN_SENT
TCP brass:1562 210-246-55-219.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1563 210.109.92.25:microsoft-ds SYN_SENT
TCP brass:1564 210-246-55-220.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1565 210-20-117-196.home.ne.jp:microsoft-ds
SYN_SENT
TCP brass:1567 210-246-55-221.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1568 h210-210-66-26.seed.net.tw:microsoft-ds
TIME_WAIT
TCP brass:1569 210.135.208.101:microsoft-ds SYN_SENT
TCP brass:1570 210-246-55-222.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1571 host170.21062217.gcn.net.tw:microsoft-ds
SYN_SENT
TCP brass:1572 210-246-55-223.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1573 210-9-245-207.dyn.iinet.net.au:microsoft-ds
SYN_SENT
TCP brass:1574 210.144.178.54:microsoft-ds SYN_SENT
TCP brass:1575 210-246-55-224.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1576 210.62.122.203:microsoft-ds SYN_SENT
TCP brass:1577 210.182.26.62:microsoft-ds SYN_SENT
TCP brass:1578 210-246-55-225.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1579 210.93.107.109:microsoft-ds SYN_SENT
TCP brass:1580 210-246-55-226.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1581 210.90.42.0:microsoft-ds SYN_SENT
TCP brass:1582 210.176.188.186:microsoft-ds SYN_SENT
TCP brass:1583 210-246-55-227.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1584 210.216.59.106:microsoft-ds SYN_SENT
TCP brass:1585
CATV-210-251-206-035.medias.ne.jp:microsoft-ds SYN_SENT
TCP brass:1586 210-246-55-228.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1587 210.98.160.182:microsoft-ds SYN_SENT
TCP brass:1588 210.47.51.9:microsoft-ds SYN_SENT
TCP brass:1589 210-246-55-230.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1590 210-246-55-229.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1591 210.61.211.231:microsoft-ds SYN_SENT
TCP brass:1592 210.45.22.2:microsoft-ds SYN_SENT
TCP brass:1593 h210-210-66-26.seed.net.tw:microsoft-ds
ESTABLISHED
TCP brass:1594 210.149.69.168:microsoft-ds SYN_SENT
TCP brass:1595 210-246-55-231.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1596 210-246-55-232.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1597 www.jair.jrao.ne.jp:microsoft-ds SYN_SENT
TCP brass:1598 210.205.112.32:microsoft-ds SYN_SENT
TCP brass:1599 210-246-55-233.paradise.net.nz:microsoft-ds
SYN_SENT
TCP brass:1600 210.195.26.159:microsoft-ds SYN_SENT

On Sat, 24 Jul 2004 15:13:24 +1200, Warwick wrote:

> What is microsoft-ds?

Looking in system32/drivers/etc/services indicates that it is port 445
(both udp and tcp).

From memory I think port 445 is the new W2K and later netbios free version
of CIFS (ie file sharing). I don't know why Windows Update would be using
CIFS though.

Cheers
Anton

On Sat, 24 Jul 2004 15:13:24 +1200, Warwick
<> wrote:

>On Sat, 24 Jul 2004 14:51:27 +1200, Warwick wrote:
>
>> I have been offline for awhile, so when windows update mandager realised I
>> had connectivity again, it spat up a long list of critical updates I
>> needed.
>> Fine.
>> Except the icon in sys tray disappeared after 10 minutes, however the modem
>> is still xferring data flat out, with no other web based applications
>> running.
>> My question is, "is the update manager still running, even tho the icon has
>> been removed from systray?"
>>
>> TIA
>> Warwick

> Proto Local Address Foreign Address State
> TCP brass:1045 210-246-54-160.paradise.net.nz:microsoft-ds
>TIME_WAIT
> TCP brass:1091 210-246-54-160.paradise.net.nz:microsoft-ds
>TIME_WAIT

Your computer has been compromised by a worm because you didn't enable
the firewall. The worm is now using your PC to hit other computers in
your subnet to infect them. This will slow your internet connection
down a LOT.

Get a virus scanner, and get firewalled ASAP.


--
Kristofer Clayton (KJClayton)
Gisborne, New Zealand

On Sat, 24 Jul 2004 15:42:08 +1200, Kristofer Clayton wrote:

> On Sat, 24 Jul 2004 15:13:24 +1200, Warwick
> <> wrote:
>
>>On Sat, 24 Jul 2004 14:51:27 +1200, Warwick wrote:
>>
>>> I have been offline for awhile, so when windows update mandager realised I
>>> had connectivity again, it spat up a long list of critical updates I
>>> needed.
>>> Fine.
>>> Except the icon in sys tray disappeared after 10 minutes, however the modem
>>> is still xferring data flat out, with no other web based applications
>>> running.
>>> My question is, "is the update manager still running, even tho the icon has
>>> been removed from systray?"
>>>
>>> TIA
>>> Warwick
>
>> Proto Local Address Foreign Address State
>> TCP brass:1045 210-246-54-160.paradise.net.nz:microsoft-ds
>>TIME_WAIT
>> TCP brass:1091 210-246-54-160.paradise.net.nz:microsoft-ds
>>TIME_WAIT
>
> Your computer has been compromised by a worm because you didn't enable
> the firewall. The worm is now using your PC to hit other computers in
> your subnet to infect them. This will slow your internet connection
> down a LOT.
>
> Get a virus scanner, and get firewalled ASAP.

Thanks mate, that is precisely what I am doing.
Though I think it is reinfecting itself. I turned system restore off and
AVG is still showing trojans, trojans that it cannot move.

Sygate is re downloading at a painful 1.66 kbps

It amazes me. The machine was clean when I took it offline several months
ago. I have been online for less than 2 hours and there are infections
everywhere. And I have not configured or used email yet.

Airborne viri? Infected via mosquito?

cheers

"Warwick" <> wrote in message
news:1tee7h15ge4h1.mylmpkvncde5$....
> On Sat, 24 Jul 2004 15:42:08 +1200, Kristofer Clayton wrote:
>
> > On Sat, 24 Jul 2004 15:13:24 +1200, Warwick
> > <> wrote:
> >
> >>On Sat, 24 Jul 2004 14:51:27 +1200, Warwick wrote:
> >>
> >>> I have been offline for awhile, so when windows update mandager
realised I
> >>> had connectivity again, it spat up a long list of critical updates I
> >>> needed.
> >>> Fine.
> >>> Except the icon in sys tray disappeared after 10 minutes, however the
modem
> >>> is still xferring data flat out, with no other web based applications
> >>> running.
> >>> My question is, "is the update manager still running, even tho the
icon has
> >>> been removed from systray?"
> >>>
> >>> TIA
> >>> Warwick
> >
> >> Proto Local Address Foreign Address State
> >> TCP brass:1045
210-246-54-160.paradise.net.nz:microsoft-ds
> >>TIME_WAIT
> >> TCP brass:1091
210-246-54-160.paradise.net.nz:microsoft-ds
> >>TIME_WAIT
> >
> > Your computer has been compromised by a worm because you didn't enable
> > the firewall. The worm is now using your PC to hit other computers in
> > your subnet to infect them. This will slow your internet connection
> > down a LOT.
> >
> > Get a virus scanner, and get firewalled ASAP.
>
> Thanks mate, that is precisely what I am doing.
> Though I think it is reinfecting itself. I turned system restore off and
> AVG is still showing trojans, trojans that it cannot move.
>
> Sygate is re downloading at a painful 1.66 kbps
>
> It amazes me. The machine was clean when I took it offline several months
> ago. I have been online for less than 2 hours and there are infections
> everywhere. And I have not configured or used email yet.
>
> Airborne viri? Infected via mosquito?
>
> cheers

Think about it. It was clean when last used months ago, right? Do you think
that in the interim that all the virus/trojan/etc writers went on holiday
too? Of course not. Since you needed internet access to get the interim
patches, you needed a firewall to protect you. Two minutes online is all
that is needed to get infected.

RJ out.

Warwick wrote:

> It amazes me. The machine was clean when I took it offline several
> months ago. I have been online for less than 2 hours and there are
> infections everywhere. And I have not configured or used email yet.
>
> Airborne viri? Infected via mosquito?

A friend of mine (it wasn't me, honest!) did a format/fresh install of 2K
and installed DU Meter, then went on-line to update AVG with no firewall.
(Was going to download a firewall next) Within 60 seconds more data was
going out than was coming in. It had a worm/trojan and it had been infected
in under a minute! This was confirmed when the AVG update had downloaded and
was run. It can take *seconds* for an unprotected PC to get infected, you
may have infected a few yourself.
--
~misfit~

On Sat, 24 Jul 2004 15:57:47 +1200, Warwick
<> wrote:


>> Get a virus scanner, and get firewalled ASAP.
>
>Thanks mate, that is precisely what I am doing.
>Though I think it is reinfecting itself. I turned system restore off and
>AVG is still showing trojans, trojans that it cannot move.

The viruses stay running and resident in memory. I've found that
starting up in Safe Mode will help, then re-running the scanner.

It spreads via holes in the windows RPC system usually, so you don't
have to click on an e-mail or accept an ActiveX plugin on a website.
The viruses jump from machine to machine within seconds, automatically
installing themselves then broadcasting out looking for other hosts to
infect.

The RPC system has been patched by Windows updates but as you've found
out, it's hard to be up-to-date BEFORE downloading updates! The
"Internet Connection Firewall" that came with XP is good enough to
block most of these infiltrations before you can get the system
patched and a decent firewall installed.

It's generally the Sasser worm and variants that gets in first. Try
grabbing the Sasser removal tool from Symantec's website, it may weed
out things that AVG refuses to touch. As a good measure, try running
that in Safe Mode too.

--
Kristofer Clayton (KJClayton)
Gisborne, New Zealand

Ryan Jacobs wrote:
> Two minutes online is all
> that is needed to get infected.

2... hah, try 10 seconds, just enough time to dl it on dialup.

"Dave - Dave.net.nz" <Dave@_no_spam_here_please_dave.net.nz> wrote in
message news:...
> Ryan Jacobs wrote:
> > Two minutes online is all
> > that is needed to get infected.
>
> 2... hah, try 10 seconds, just enough time to dl it on dialup.

Yeah, your right. My bad

RJ out.