One of the XP boxes is pouring outgoing packets to the web. I ran AVG, Spybot S&D, Adaware, Easy Cleaner (registry cleaner) over and over all day long and found a bunch of viri and bots. But the box is still outputting data but running a lot better. I've usually been able to clean-up a box with this procedure and everything is freshly updated. Is there a way to find out what and where the packets are going? Is there a cool-tool that I'm missing? I know the firewall in the router and XP's firewall don't stop outgoing, maybe another firewall but I hate all the overhead. Norton, Symantec, MacAfee NOT allowed in the building, I'd rather have a virus! SOMEBODY confessed they were running a crack for something they "found" on the web.
Throw "ZoneAlarm" on there, and see what proc it says is trying to send things outbound.
XP's firewall is slightly better than nothing. Maybe not, because it doesn't do outbound from what we've both seen. ZoneAlarm has a free version that works quite nicely and will tell you what's what.
"Tom Gardner" wrote in news:Zqdzf.11496$F snipped-for-privacy@newssvr29.news.prodigy.net:
formatting link
Click on utilities. There you will find a bunch of really c00l tools for XP, like process explorer, which will even show you what threads belong to what program, and tcpview, which is like netstat on steroids, and will show you what program is connected to what IP/ports on XP/W2K.
I've used The Cleaner, from Moosoft, successfully. It worked for me twice where everything else failed and, as I remember, it takes care of trojans as well as some other stuff.
That sounds like whatever it is pounding on my e-mail ports. I block a large number of IP addresses from which I have received spam, and recently (past three weeks or so), I have seen large numbers of repeated attempts to deliver e-mail even though I'm refusing connections.
one recent one made 1347 connection attempts in about an hour and three minutes. Another made 14000+ in about four hours.
I've started simply discarding the packets (by routing them to
127.0.0.1) so I vanish off the net from such sites.
But this suggests that your machine is being used to either send spam, or to attempt to infect other machines, with no attention paid to refusals to connect, so of course it is chewing up a major part of your machine's resources.
Well ... various unix systems have tools like "etherfind", "snoop", "tcppdump" and such, which can be asked to look at the traffic between two machines, or simply all traffic to/from one machine. Note that the odds are that whatever machine is on the other end of the connection is under attack, rather than participating in the attack on your system.
The port involved in this behavior is port 25 (the SMTP (Simple Mail Transport Protocol) port).
Some kind of firewall which is configured to prevent port 25 connections in either direction would probably be a big help in controlling this. Your machine, since it is not a server, should not be using that port, and will instead be using the POP (Post Office Protocol) ports 109 and 110 for pop2 and pop3. That is what your system most likely uses to talk to the mail server to get and send e-mail.
Run the program and then paste the results into the analysis window on the hijack-this website.
It will tell you what the problem is and usually how to fix it.
I had a similar problem twice ages ago, all the scanners found problems but didn't fix it. Running the hijack this prog fixed it.
Google "hijack this" to confirm the above info before downloading and running the program - I try not to run downloaded executables suggested by others without checking it out first!
good luck - it took me a while to get rid of it last time. rob
PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.