Request to connect at startup

Discussion in 'Computer Security' started by GRL, Feb 12, 2005.

  1. GRL

    GRL Guest

    I need to find the process which requests to connect at startup
    (WinXPPro-SP1). I'm using "Process Explorer", but I'm not able to identify
    exactly this process. Can someone help me?
    Thanks in advance.
    Giovanni
     
    GRL, Feb 12, 2005
    #1
    1. Advertising

  2. GRL

    KHaled Guest

    "GRL" <> wrote in
    news::

    > I need to find the process which requests to connect at
    > startup (WinXPPro-SP1). I'm using "Process Explorer", but
    > I'm not able to identify exactly this process. Can someone
    > help me? Thanks in advance.
    > Giovanni
    >
    >
    >


    Thats interesting.. I am having the same problem. I use
    Outpost (free) firewall, and what I noticed is that a DNS
    cache entry to website.ws was deleted, at a time when I had
    no applications that should have requested such a
    transaction.



    --
    KHaled

    e-mail: khaledihREMOVEUPPERCASELETTERS at fusemail dot com
    (correcting antispam crap..)
    please start your subject line with the string "==NG=="
     
    KHaled, Feb 13, 2005
    #2
    1. Advertising

  3. GRL

    donnie Guest

    On 13 Feb 2005 15:51:28 GMT, KHaled <> wrote:

    >"GRL" <> wrote in
    >news::
    >
    >> I need to find the process which requests to connect at
    >> startup (WinXPPro-SP1). I'm using "Process Explorer", but
    >> I'm not able to identify exactly this process. Can someone
    >> help me? Thanks in advance.
    >> Giovanni
    >>
    >>
    >>

    >
    >Thats interesting.. I am having the same problem. I use
    >Outpost (free) firewall, and what I noticed is that a DNS
    >cache entry to website.ws was deleted, at a time when I had
    >no applications that should have requested such a
    >transaction.

    ##########################
    Let it connect, then run
    netstat -an at a DOS prompt.
    Look at the connections in the Foreign Address column. Note the IP
    address and the port.
    donnie.
     
    donnie, Feb 14, 2005
    #3
  4. GRL

    GRL Guest

    Ok, thank you for your suggestion, it runs, but using a whois program I find
    only the net range the IP address is inside. Is there a way to identify
    exactly the address I'm involved in?
    Thanks.
    Giovanni
    "donnie" <> ha scritto nel messaggio
    news:...
    > On 13 Feb 2005 15:51:28 GMT, KHaled <> wrote:
    >
    > >"GRL" <> wrote in
    > >news::
    > >
    > >> I need to find the process which requests to connect at
    > >> startup (WinXPPro-SP1). I'm using "Process Explorer", but
    > >> I'm not able to identify exactly this process. Can someone
    > >> help me? Thanks in advance.
    > >> Giovanni
    > >>
    > >>
    > >>

    > >
    > >Thats interesting.. I am having the same problem. I use
    > >Outpost (free) firewall, and what I noticed is that a DNS
    > >cache entry to website.ws was deleted, at a time when I had
    > >no applications that should have requested such a
    > >transaction.

    > ##########################
    > Let it connect, then run
    > netstat -an at a DOS prompt.
    > Look at the connections in the Foreign Address column. Note the IP
    > address and the port.
    > donnie.
     
    GRL, Feb 14, 2005
    #4
  5. GRL

    donnie Guest

    On Mon, 14 Feb 2005 21:06:20 +0100, "GRL" <> wrote:

    >Ok, thank you for your suggestion, it runs, but using a whois program I find
    >only the net range the IP address is inside. Is there a way to identify
    >exactly the address I'm involved in?
    >Thanks.
    >Giovanni

    ######################
    The IP in the foreign address column is the exact machine where the
    information is going. The port # is also there. That shows you the
    type of conection. With that information, you can do a few things.
    One of them is the whois to tell you who owns the machine. A search
    of the registry for that name may lead you to the exe that is making
    it happen.
    Let me give you an example. At one point a friend of mine had a
    Compaq Windows 95 machine that was opening an FTP connection (Port 21)
    to an IP address belonging to encompas.com. I looked in the registry
    for encompas and found it in HKLM, Software, Microsoft,
    Windows,CurrentVersion,Run which is where many trojans hide. I then
    found the name of some big shot there who shall remain nameless, Steve
    Linowes, and I called him. He just gave me the run-a-round. Since
    then Yahoo bought encompas. Anyway, I had her delete the entry in the
    registry and that was the end of it. It was then I made up the term,
    proprietary trojans, which are trojans created by major companies and
    not so called black hat hackers. Of course Norton and the like don't
    protect against them since they might be doing the same.
    Anyway, getting back to your machine, you can also try to get the
    NetBIOS table of that machine
    nbtstat -A IP_address
    at a DOS prompt. If that doesn't work, you can try a null session.
    Enum is one such program, although I use another one written by Harlan
    Carvey.
    If you can't get to the bottom of it, post the IP here or send an
    email to
    donnie.
     
    donnie, Feb 14, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?dGhlYnJvd25zNzQ=?=

    adhoc connect at startup

    =?Utf-8?B?dGhlYnJvd25zNzQ=?=, Feb 25, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    458
    =?Utf-8?B?dGhlYnJvd25zNzQ=?=
    Feb 25, 2005
  2. Steve IA

    Thunderbird Connect on startup

    Steve IA, Nov 9, 2004, in forum: Firefox
    Replies:
    2
    Views:
    555
    Steve IA
    Nov 9, 2004
  3. Santa
    Replies:
    13
    Views:
    2,638
    Juhan Leemet
    Jul 13, 2004
  4. belfast-biker
    Replies:
    0
    Views:
    1,123
    belfast-biker
    Jan 14, 2006
  5. News Reader
    Replies:
    3
    Views:
    572
    Graham
    Oct 26, 2006
Loading...

Share This Page