[System Process]:0 Virus?

I have WindowsXP Pro.

Just today my internet connection has slowed right down, and
an inspection of "Windows Task Manager" shows a lot of
traffic even though I am not using any internet
applications.

I have run TCPView and there are numerous TCP protocol
addresses in a "TIME_WAIT" state, all with the process name
"[System Process]:0. All the remote addresses attached to
this process have different names, and there are about 100
of them.


Can someone help me.
Regards, Frank

 

From: "Frank Martin" <fm@general.com.au>

| I have WindowsXP Pro.

| Just today my internet connection has slowed right down, and
| an inspection of "Windows Task Manager" shows a lot of
| traffic even though I am not using any internet
| applications.

| I have run TCPView and there are numerous TCP protocol
| addresses in a "TIME_WAIT" state, all with the process name
| "[System Process]:0. All the remote addresses attached to
| this process have different names, and there are about 100
| of them.


| Can someone help me.
| Regards, Frank


It sounds like malware has injected a process into the kernel.

What anti virus/anti malware software have you used to scan the PC ?

--
Dave

Multi-AV -

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
message news:uhZIxzp5JHA.1420@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "Frank Martin" <fm@general.com.au>
>
> | I have WindowsXP Pro.
>
> | Just today my internet connection has slowed right down,
> and
> | an inspection of "Windows Task Manager" shows a lot of
> | traffic even though I am not using any internet
> | applications.
>
> | I have run TCPView and there are numerous TCP protocol
> | addresses in a "TIME_WAIT" state, all with the process
> name
> | "[System Process]:0. All the remote addresses attached
> to
> | this process have different names, and there are about
> 100
> | of them.
>
>
> | Can someone help me.
> | Regards, Frank
>
>
> It sounds like malware has injected a process into the
> kernel.
>
> What anti virus/anti malware software have you used to
> scan the PC ?
>
> --
> Dave
>
> Multi-AV - <!--colorc--><!--/colorc-->



Thanks,
I have used "stopZilla", "ADaware", "Spybot search &
destroy", "Malwarebytes Anti-malware", MS
"malicious-software removal tool", also "CCleaner (with reg
cleaner)", and other reg cleaners,

Also I am running the "whatslivern" software.

This happened once before but with a different Process Name,
as as I remember I fixed this by ticking and deleting one of
the lines in the "HiJack This" lists, which was:
"F2Reg:system.ini:
Shell=Explorer.exe\C:\Windows\Config\csrss.exe.


Regards, Frank

 

From: "Frank Martin" <fm@general.com.au>




| Thanks,
| I have used "stopZilla", "ADaware", "Spybot search &
| destroy", "Malwarebytes Anti-malware", MS
| "malicious-software removal tool", also "CCleaner (with reg
| cleaner)", and other reg cleaners,

| Also I am running the "whatslivern" software.

| This happened once before but with a different Process Name,
| as as I remember I fixed this by ticking and deleting one of
| the lines in the "HiJack This" lists, which was:
| "F2Reg::system.ini: Shell=Explorer.exe\C:\Windows\Config\csrss.exe.


| Regards, Frank


StopZilla - not that good aanti adware/spyware
CCleaner - not anti malware.
Reg Cleaners in general - snake oil
whatslivern - is a 2007 plagiarised version of Andrew Aranoff's Silent Runners and if you
are going to use such software, use the orginal from the real author, Andrew Aranoff,
which was last updated Dec. '08, revision 59. --



Usually at this point I'd have you post in an expert forum. However, in this case, I have
a gut feeling.

I'd like you to scan your PC using the AntiRootkit utility Gmer and to use the McAfee and
Sophos modules in my Multi AV Scanning Tool.





Download MULTI_AV.EXE from the URL --

or



or


English:



To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *




--
Dave

Multi-AV -

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
message news:ecN1ebx5JHA.1096@TK2MSFTNGP06.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "Frank Martin" <fm@general.com.au>
>
>
>
>
> | Thanks,
> | I have used "stopZilla", "ADaware", "Spybot search &
> | destroy", "Malwarebytes Anti-malware", MS
> | "malicious-software removal tool", also "CCleaner (with
> reg
> | cleaner)", and other reg cleaners,
>
> | Also I am running the "whatslivern" software.
>
> | This happened once before but with a different Process
> Name,
> | as as I remember I fixed this by ticking and deleting
> one of
> | the lines in the "HiJack This" lists, which was:
> | "F2Reg::system.ini:
> Shell=Explorer.exeC:WindowsConfigcsrss.exe.
>
>
> | Regards, Frank
>
>
> StopZilla - not that good aanti adware/spyware
> CCleaner - not anti malware.
> Reg Cleaners in general - snake oil
> whatslivern - is a 2007 plagiarised version of Andrew
> Aranoff's Silent Runners and if you
> are going to use such software, use the orginal from the
> real author, Andrew Aranoff,
> which was last updated Dec. '08, revision 59. --
>
>
>
>
> Usually at this point I'd have you post in an expert
> forum. However, in this case, I have
> a gut feeling.
>
> I'd like you to scan your PC using the AntiRootkit utility
> Gmer and to use the McAfee and
> Sophos modules in my Multi AV Scanning Tool.
>
>
>
>
>
> Download MULTI_AV.EXE from the URL --
>
> or
>
>
>
> or
>
>
> English:
>
>
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default
> folder C:AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:AV-CLSStartMenu.BAT
> { or Double-click on 'Start Menu' in C:AV-CLS }
>
> NOTE: You may have to disable your software FireWall or
> allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor
> related files.
>
> C:AV-CLSStartMenu.BAT -- { or Double-click on 'Start
> Menu' in C:AV-CLS}
> This will bring up the initial menu of choices and should
> be executed in Normal Mode.
> This way all the components can be downloaded from each AV
> vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit
> this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download
> the needed files or you can
> download the files and perform a scan in Normal Mode. Once
> you have downloaded the files
> needed for each scanner you want to use, you should reboot
> the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which
> scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe
> Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring
> up a more comprehensive PDF help
> file.
>
>
>
> * * * Please report back your results * * *
>
>
>
>
> --
> Dave
>
> Multi-AV - <!--colorc--><!--/colorc-->


Thanks, I installed the Gmer software and ran it and it gave
a screen with 3 lines, though not in red. I no longer have
these (see below).

I downloaded and installed the MULTI_AV software into the
C:\AV_CLS as instructed and this subsequently gave the
coloured DOS-type window with the four sites.
The first one downloaded OK, but the second one, after a
while induced Windows error screens saying "Windows Files
are being replaced with other similar ones" and then the
MULTI_AV software froze up, and I then rebooted the
computer.

On startup the reboot stopped at a black-screen stage and
gave the error message "NTLDR not found" and so I was
locked out.

I then went to a Ghost12 backup and rebooted from the Ghost
disk and recovered the C Drive (only) of 12 April 09. All
my other partitions seem OK. But I seem to have lost all
the results of the Gmer software and any fragments of the
MULTI_AV.

The TCPView software shows the virus has disappeared too,
though this may be too soon to tell.

Perhaps this has fixed the virus?

How can I stop it coming back; this morning when it was
there there were about 200 sites being fed from my computer.

Regards, Frank

 

From: "Frank Martin" <fm@general.com.au>



| Thanks, I installed the Gmer software and ran it and it gave
| a screen with 3 lines, though not in red. I no longer have
| these (see below).

| I downloaded and installed the MULTI_AV software into the
| C:\AV_CLS as instructed and this subsequently gave the
| coloured DOS-type window with the four sites.
| The first one downloaded OK, but the second one, after a
| while induced Windows error screens saying "Windows Files
| are being replaced with other similar ones" and then the
| MULTI_AV software froze up, and I then rebooted the
| computer.

| On startup the reboot stopped at a black-screen stage and
| gave the error message "NTLDR not found" and so I was
| locked out.

| I then went to a Ghost12 backup and rebooted from the Ghost
| disk and recovered the C Drive (only) of 12 April 09. All
| my other partitions seem OK. But I seem to have lost all
| the results of the Gmer software and any fragments of the
| MULTI_AV.

| The TCPView software shows the virus has disappeared too,
| though this may be too soon to tell.

| Perhaps this has fixed the virus?

| How can I stop it coming back; this morning when it was
| there there were about 200 sites being fed from my computer.

| Regards, Frank

Some very curious results and from your descriptions of them, I can't interpet them :-(









--
Dave

Multi-AV -

 

Frank Martin wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I have WindowsXP Pro.
>
> Just today my internet connection has slowed right down, and
> an inspection of "Windows Task Manager" shows a lot of
> traffic even though I am not using any internet
> applications.
>
> I have run TCPView and there are numerous TCP protocol
> addresses in a "TIME_WAIT" state, all with the process name
> "[System Process]:0. All the remote addresses attached to
> this process have different names, and there are about 100
> of them.<!--colorc--><!--/colorc-->

_ "[System Process]:0" in TIME_WAIT state shown in TCPview _

Do they go away after 4 minutes?

In SysInternals TCPview (used to show current network connections),
there may be connections shown with a process name of "[System
Process]:0". This is the same process shown as "System" (PID = 4) in
the Processes tab in Task Manager. TCPview will show the state of those
connections as TIME_WAIT. You cannot look at the properties of those
connections (because they are orphaned connections waiting to timeout).

Your web browser connects to a web server and retrieves many files from
there, like a .jpg file to show an image in a web page. Even if there
is already a locally cached copy of that file, the web browser needs to
check if there is a newer version of it. In response, the web server
sends back "304 not modified" which means the file has not changed from
the copy in the web browser's local cache. Your web browser then sends
a FIN (a TCP disconnect request) whereupon the web server responds with
its own FIN. This forces the local TCP handler in your OS to put the
connection into TIME_WAIT state. The web browser has no choice but to
consume one connection per cached item because the web server doesn't
send back permission to keep the connection up after issuing the 304
status. This is normal behavior. These orphaned connections are handed
off to the System process which will eventually time them out.

In TCPview, you should see these dead connections disappear after a
couple minutes. If you use TCPview's Options menu and disable the "Show
Unconnected Endpoints" option, these orphaned connections will
disappear. Your side waits for the other their side to close its
connection by sending a FIN packet. It's possible their side has
crashed, rebooted, been powered down, or is otherwise unable to issue a
FIN. Your side's connection gets stuck in a TIME_WAIT state. To free
up resources, your side times out the connection to prevent half-open
connections from indefinitely consuming resources. Why are these
half-open connections left alive? It is cheaper in resources to reuse
an existing connection than have to establish a new connection.

In Windows, the TcpTimedWaitDelay determines how long to wait before
resetting a dead connection which then frees up that port. The default
(when this key is not defined) is 240 seconds, or 4 minutes. Reducing
this value will release the connections faster to provide more resources
sooner for new connections. It also means having less reusable
connections and having to establish more new connections. The
recommended minimum is 30 seconds. It is defined under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters
registry key.

For more information, see:







"A connection can be "half-open", in which case one side has terminated
its end, but the other has not. The side that has terminated can no
longer send any data into or receive any data from the connection, but
the other side can (but generally if it tries, this should result in no
acknowledgment and therefore a timeout, or else result in a positive
RST, and either way thereby the destruction of the half-open socket)."

 

VanguardLH wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
>In SysInternals TCPview (used to show current network connections),
>there may be connections shown with a process name of "[System
>Process]:0". .....<!--colorc--><!--/colorc-->

You succeeded to give an imho impressive overview over what
would have required considerable effort to be found out. Thank you
very much for proving what usenet can be if experts participate.
I enjoyed very much to read your posting.

Regards,
H.

 

What a refreshing change - I agree totally - thanks for your post,
Heinz!

I, too, have always found VanguardLH's posts most interesting and
helpful.

--
Dave


"Heinz Schmitz" <HeinzSchmitz@gmx.net> wrote in message
news:eldp25pgd7iqo3luo27q27fb6t0p4evgj3@4ax.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> VanguardLH wrote:
><!--coloro:green--><span style="color:green <!--/coloro-->
>>In SysInternals TCPview (used to show current network connections),
>>there may be connections shown with a process name of "[System
>>Process]:0". .....<!--colorc--><!--/colorc-->
>
> You succeeded to give an imho impressive overview over what
> would have required considerable effort to be found out. Thank you
> very much for proving what usenet can be if experts participate.
> I enjoyed very much to read your posting.
>
> Regards,
> H.
>
>
> <!--colorc--><!--/colorc-->

 

"VanguardLH" <V@nguard.LH> wrote in message
news:h0i6mk$ts2$1@news.eternal-september.org...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Frank Martin wrote:
><!--coloro:green--><span style="color:green <!--/coloro-->
>> I have WindowsXP Pro.
>>
>> Just today my internet connection has slowed right down,
>> and
>> an inspection of "Windows Task Manager" shows a lot of
>> traffic even though I am not using any internet
>> applications.
>>
>> I have run TCPView and there are numerous TCP protocol
>> addresses in a "TIME_WAIT" state, all with the process
>> name
>> "[System Process]:0. All the remote addresses attached
>> to
>> this process have different names, and there are about
>> 100
>> of them.<!--colorc--><!--/colorc-->
>
> _ "[System Process]:0" in TIME_WAIT state shown in TCPview
> _
>
> Do they go away after 4 minutes?
>
> In SysInternals TCPview (used to show current network
> connections),
> there may be connections shown with a process name of
> "[System
> Process]:0". This is the same process shown as "System"
> (PID = 4) in
> the Processes tab in Task Manager. TCPview will show the
> state of those
> connections as TIME_WAIT. You cannot look at the
> properties of those
> connections (because they are orphaned connections waiting
> to timeout).
>
> Your web browser connects to a web server and retrieves
> many files from
> there, like a .jpg file to show an image in a web page.
> Even if there
> is already a locally cached copy of that file, the web
> browser needs to
> check if there is a newer version of it. In response, the
> web server
> sends back "304 not modified" which means the file has not
> changed from
> the copy in the web browser's local cache. Your web
> browser then sends
> a FIN (a TCP disconnect request) whereupon the web server
> responds with
> its own FIN. This forces the local TCP handler in your OS
> to put the
> connection into TIME_WAIT state. The web browser has no
> choice but to
> consume one connection per cached item because the web
> server doesn't
> send back permission to keep the connection up after
> issuing the 304
> status. This is normal behavior. These orphaned
> connections are handed
> off to the System process which will eventually time them
> out.
>
> In TCPview, you should see these dead connections
> disappear after a
> couple minutes. If you use TCPview's Options menu and
> disable the "Show
> Unconnected Endpoints" option, these orphaned connections
> will
> disappear. Your side waits for the other their side to
> close its
> connection by sending a FIN packet. It's possible their
> side has
> crashed, rebooted, been powered down, or is otherwise
> unable to issue a
> FIN. Your side's connection gets stuck in a TIME_WAIT
> state. To free
> up resources, your side times out the connection to
> prevent half-open
> connections from indefinitely consuming resources. Why
> are these
> half-open connections left alive? It is cheaper in
> resources to reuse
> an existing connection than have to establish a new
> connection.
>
> In Windows, the TcpTimedWaitDelay determines how long to
> wait before
> resetting a dead connection which then frees up that port.
> The default
> (when this key is not defined) is 240 seconds, or 4
> minutes. Reducing
> this value will release the connections faster to provide
> more resources
> sooner for new connections. It also means having less
> reusable
> connections and having to establish more new connections.
> The
> recommended minimum is 30 seconds. It is defined under
> the
> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTCPIPParameters
> registry key.
>
> For more information, see:
>
>
>
>
>
>
>
> "A connection can be "half-open", in which case one side
> has terminated
> its end, but the other has not. The side that has
> terminated can no
> longer send any data into or receive any data from the
> connection, but
> the other side can (but generally if it tries, this should
> result in no
> acknowledgment and therefore a timeout, or else result in
> a positive
> RST, and either way thereby the destruction of the
> half-open socket)."<!--colorc--><!--/colorc-->



No they did not go away after 4 minutes, and indeed more
seemed to appear as time passed.

When I disconnected the internet and restarted it, it took
a few minutes for the problem to reappear, but it always
did.

I no longer have the problem because I had to go back to a
backup of 1 month ago and replaced the info on the C:\
drive.

I will contact you if this problem re-appears.

Thanks, Frank

 

Frank Martin wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "VanguardLH" <V@nguard.LH> wrote in message
> news:h0i6mk$ts2$1@news.eternal-september.org...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Frank Martin wrote:
>><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> I have WindowsXP Pro.
>>>
>>> Just today my internet connection has slowed right down,
>>> and
>>> an inspection of "Windows Task Manager" shows a lot of
>>> traffic even though I am not using any internet
>>> applications.
>>>
>>> I have run TCPView and there are numerous TCP protocol
>>> addresses in a "TIME_WAIT" state, all with the process
>>> name
>>> "[System Process]:0. All the remote addresses attached
>>> to
>>> this process have different names, and there are about
>>> 100
>>> of them.<!--colorc--><!--/colorc-->
>>
>> _ "[System Process]:0" in TIME_WAIT state shown in TCPview
>> _
>>
>> Do they go away after 4 minutes?
>>
>> In SysInternals TCPview (used to show current network
>> connections),
>> there may be connections shown with a process name of
>> "[System
>> Process]:0". This is the same process shown as "System"
>> (PID = 4) in
>> the Processes tab in Task Manager. TCPview will show the
>> state of those
>> connections as TIME_WAIT. You cannot look at the
>> properties of those
>> connections (because they are orphaned connections waiting
>> to timeout).
>>
>> Your web browser connects to a web server and retrieves
>> many files from
>> there, like a .jpg file to show an image in a web page.
>> Even if there
>> is already a locally cached copy of that file, the web
>> browser needs to
>> check if there is a newer version of it. In response, the
>> web server
>> sends back "304 not modified" which means the file has not
>> changed from
>> the copy in the web browser's local cache. Your web
>> browser then sends
>> a FIN (a TCP disconnect request) whereupon the web server
>> responds with
>> its own FIN. This forces the local TCP handler in your OS
>> to put the
>> connection into TIME_WAIT state. The web browser has no
>> choice but to
>> consume one connection per cached item because the web
>> server doesn't
>> send back permission to keep the connection up after
>> issuing the 304
>> status. This is normal behavior. These orphaned
>> connections are handed
>> off to the System process which will eventually time them
>> out.
>>
>> In TCPview, you should see these dead connections
>> disappear after a
>> couple minutes. If you use TCPview's Options menu and
>> disable the "Show
>> Unconnected Endpoints" option, these orphaned connections
>> will
>> disappear. Your side waits for the other their side to
>> close its
>> connection by sending a FIN packet. It's possible their
>> side has
>> crashed, rebooted, been powered down, or is otherwise
>> unable to issue a
>> FIN. Your side's connection gets stuck in a TIME_WAIT
>> state. To free
>> up resources, your side times out the connection to
>> prevent half-open
>> connections from indefinitely consuming resources. Why
>> are these
>> half-open connections left alive? It is cheaper in
>> resources to reuse
>> an existing connection than have to establish a new
>> connection.
>>
>> In Windows, the TcpTimedWaitDelay determines how long to
>> wait before
>> resetting a dead connection which then frees up that port.
>> The default
>> (when this key is not defined) is 240 seconds, or 4
>> minutes. Reducing
>> this value will release the connections faster to provide
>> more resources
>> sooner for new connections. It also means having less
>> reusable
>> connections and having to establish more new connections.
>> The
>> recommended minimum is 30 seconds. It is defined under
>> the
>> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTCPIPParameters
>> registry key.
>>
>> For more information, see:
>>
>>
>>
>>
>>
>>
>>
>> "A connection can be "half-open", in which case one side
>> has terminated
>> its end, but the other has not. The side that has
>> terminated can no
>> longer send any data into or receive any data from the
>> connection, but
>> the other side can (but generally if it tries, this should
>> result in no
>> acknowledgment and therefore a timeout, or else result in
>> a positive
>> RST, and either way thereby the destruction of the
>> half-open socket)."<!--colorc--><!--/colorc-->
>
> No they did not go away after 4 minutes, and indeed more
> seemed to appear as time passed.<!--colorc--><!--/colorc-->

Some security products include a "web shield". The web browser goes
through them and they make the connection. If they aren't dropping the
half-open connections then it's a bug in that security program. If you
use Avast with its Web Shield, Avira with its Web Guard, or a 3rd party
firewall (Comodo or OnlineArmor) that has its web guard/monitor, see
what happens when you disable those.

You sure they didn't change for the ones that you saw "left" open? For
example, I might see a dozen of these connections listed. After awhile,
there might be half a dozen listed or even more than a dozen listed but
they were for different failed or aborted connects. Some went away but
some new ones showed up. Make sure you aren't running a program that
wants to auto-update. It could be failing the connects or there is a
server problem (busy, timeouts, whatever) and then retrying the update
immediately thereafter. They should expire their auto-update after
several attempts but those repeated attempts could take a long time.

Watch TCPview. If any of the "[System Process]:0" connections change to
a red background, that means they have been deleted. The red shows what
is going away.

 

From: "VanguardLH" <V@nguard.LH>


| Some security products include a "web shield". The web browser goes
| through them and they make the connection. If they aren't dropping the
| half-open connections then it's a bug in that security program. If you
| use Avast with its Web Shield, Avira with its Web Guard, or a 3rd party
| firewall (Comodo or OnlineArmor) that has its web guard/monitor, see
| what happens when you disable those.

| You sure they didn't change for the ones that you saw "left" open? For
| example, I might see a dozen of these connections listed. After awhile,
| there might be half a dozen listed or even more than a dozen listed but
| they were for different failed or aborted connects. Some went away but
| some new ones showed up. Make sure you aren't running a program that
| wants to auto-update. It could be failing the connects or there is a
| server problem (busy, timeouts, whatever) and then retrying the update
| immediately thereafter. They should expire their auto-update after
| several attempts but those repeated attempts could take a long time.

| Watch TCPview. If any of the "[System Process]:0" connections change to
| a red background, that means they have been deleted. The red shows what
| is going away.

And if TCPView shows Gren then Red for an Interet address, then does it again and again
periodically this is called "beaconing" and is a telltale sign of malware.

--
Dave

Multi-AV -

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
message news:eVEuJhb6JHA.4100@TK2MSFTNGP06.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "VanguardLH" <V@nguard.LH>
>
>
> | Some security products include a "web shield". The web
> browser goes
> | through them and they make the connection. If they
> aren't dropping the
> | half-open connections then it's a bug in that security
> program. If you
> | use Avast with its Web Shield, Avira with its Web Guard,
> or a 3rd party
> | firewall (Comodo or OnlineArmor) that has its web
> guard/monitor, see
> | what happens when you disable those.
>
> | You sure they didn't change for the ones that you saw
> "left" open? For
> | example, I might see a dozen of these connections
> listed. After awhile,
> | there might be half a dozen listed or even more than a
> dozen listed but
> | they were for different failed or aborted connects.
> Some went away but
> | some new ones showed up. Make sure you aren't running a
> program that
> | wants to auto-update. It could be failing the connects
> or there is a
> | server problem (busy, timeouts, whatever) and then
> retrying the update
> | immediately thereafter. They should expire their
> auto-update after
> | several attempts but those repeated attempts could take
> a long time.
>
> | Watch TCPview. If any of the "[System Process]:0"
> connections change to
> | a red background, that means they have been deleted.
> The red shows what
> | is going away.
>
> And if TCPView shows Gren then Red for an Interet address,
> then does it again and again
> periodically this is called "beaconing" and is a telltale
> sign of malware.
>
> --
> Dave
>
> Multi-AV - <!--colorc--><!--/colorc-->


Many thanks for all replies.

Because of these types of viruses, which the common sweepers
do not remove, I have reviewed my backup procedures and do a
Ghost 12 backup every 3 days for the C and D drives as well
as the normal complete-computer backup every week.

Regards, Frank

 

From: "Frank Martin" <fm@general.com.au>



| Many thanks for all replies.

| Because of these types of viruses, which the common sweepers
| do not remove, I have reviewed my backup procedures and do a
| Ghost 12 backup every 3 days for the C and D drives as well
| as the normal complete-computer backup every week.

| Regards, Frank


Please don't assume "viruses". Chances are it is trojan activity and NOT caused by a
virus.

--
Dave

Multi-AV -

 

Frank Martin has brought this to us :<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Many thanks for all replies.
> Because of these types of viruses, which the common sweepers do not remove, I
> have reviewed my backup procedures and do a Ghost 12 backup every 3 days for
> the C and D drives as well as the normal complete-computer backup every week.<!--colorc--><!--/colorc-->

Because you got infected, that is telling you your defence/preventitive
measures are not up to scratch. Far better to stop infections before
they get into your comp.

 

??? How do you define a difference between a "trojan" and a "virus," when
an "ordinary" person considers that any form of MAL_icous/soft_WARE to be a
"virus" (VBG
?
i.e. Most earthly people use the word "virus" to encompass all malicious
software

regards, Richard

...smile, ....smile, ...I never trust people that smile too much ! (...Star
Trek)


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23Q1Ohph6JHA.4404@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "Frank Martin" <fm@general.com.au>
>
>
>
> | Many thanks for all replies.
>
> | Because of these types of viruses, which the common sweepers
> | do not remove, I have reviewed my backup procedures and do a
> | Ghost 12 backup every 3 days for the C and D drives as well
> | as the normal complete-computer backup every week.
>
> | Regards, Frank
>
>
> Please don't assume "viruses". Chances are it is trojan activity and NOT
> caused by a
> virus.
>
> --
> Dave
>
> Multi-AV -
>
> <!--colorc--><!--/colorc-->

 

From: "RJK" <nosuch@hotmail.com>

| ??? How do you define a difference between a "trojan" and a "virus," when
| an "ordinary" person considers that any form of MAL_icous/soft_WARE to be a
| "virus" (VBG
| ?
| i.e. Most earthly people use the word "virus" to encompass all malicious
| software

| regards, Richard

| ..smile, ....smile, ...I never trust people that smile too much ! (...Star
| Trek)

M A L W A R E



--
Dave

Multi-AV -

 

Just because most earthly people are wrong doesn't mean they have to
stay that way. )

There are very good reasons for emphasizing that there is a difference
between them.

"RJK" <nosuch@hotmail.com> wrote in message
news:ujp808u6JHA.1716@TK2MSFTNGP03.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> ??? How do you define a difference between a "trojan" and a "virus,"
> when an "ordinary" person considers that any form of
> MAL_icous/soft_WARE to be a "virus" (VBG
> ?
> i.e. Most earthly people use the word "virus" to encompass all
> malicious software
>
> regards, Richard
>
> ..smile, ....smile, ...I never trust people that smile too much !
> (...Star Trek)
>
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:%23Q1Ohph6JHA.4404@TK2MSFTNGP04.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> From: "Frank Martin" <fm@general.com.au>
>>
>>
>>
>> | Many thanks for all replies.
>>
>> | Because of these types of viruses, which the common sweepers
>> | do not remove, I have reviewed my backup procedures and do a
>> | Ghost 12 backup every 3 days for the C and D drives as well
>> | as the normal complete-computer backup every week.
>>
>> | Regards, Frank
>>
>>
>> Please don't assume "viruses". Chances are it is trojan activity and
>> NOT caused by a
>> virus.
>>
>> --
>> Dave
>>
>> Multi-AV -
>>
>><!--colorc--><!--/colorc-->
>
> <!--colorc--><!--/colorc-->

 

RJK wrote (on Fri, 12 Jun 2009 00:49:02 +0100):
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> How do you define a difference between a "trojan" and a "virus," when
> an "ordinary" person considers that any form of MAL_icous/soft_WARE
> to be a "virus"<!--colorc--><!--/colorc-->

And uneducated or lazy consumers might also refer to a DVR as a VTR.




Once deposited, it must spread *itself* to be a virus. Viruses
self-reproduce. Once deposited, a trojan does NOT spread *itself*.
The trojan relies on something else to distribute more copies of
itself.


)
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Most earthly people use the word "virus" to encompass all malicious
> software<!--colorc--><!--/colorc-->

Being amongst the common wrong doesn't make you right. However, you're
wrong again. Most computer-using earthlings use "malware" as the
generic term. Odd that you don't recognize your own statement noting
the common usage of the term "malware".

 

On Sat, 6 Jun 2009 12:14:57 +1000, "Frank Martin" <fm@general.com.au>
wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
>I have WindowsXP Pro.
>
>Just today my internet connection has slowed right down, and
>an inspection of "Windows Task Manager" shows a lot of
>traffic even though I am not using any internet
>applications.
>
>I have run TCPView and there are numerous TCP protocol
>addresses in a "TIME_WAIT" state, all with the process name
>"[System Process]:0. All the remote addresses attached to
>this process have different names, and there are about 100
>of them.
>
>
>Can someone help me.
>Regards, Frank
>
><!--colorc--><!--/colorc-->

FWIW, all sockets that fall into TIME_WAIT get owned by PID 0 on
normal Windows systems. TIME_WAIT is the proper state a client
connection enters when a session is properly closed. It is designed to
let any delayed frames hit the socket harmlessly and to prevent any
new sessions from reusing that socket for a time period long enough
for remnants of the old session to have expired.

It is not specifically an indicator of any maleware infection.

PID 0, ([System Process]:0) is the idle task, part of the kernel.

What _is_ unusual is that you would experience a flurry of TCP
activity that is opening and closing sockets that can't be accounted
for by normal browser or email activity.

What's even more important for diagnosis is the remote destination's
IP address and socket number. The remote IP or domain name can clue
you in to what application opened the socket and who it was talking
to. The socket number can tell you what kind of server or protocol it
was using, (e.g., 80 for http, 110 for POP3, 25 for SMTP, 119 for
NNTP, etc.) until you know these things, the mere presence of TCP/IP
TIME_WAIT sockets can't be reliably associated with malicious
activity.

"Beaconing" is not a valid TCP term or behavior and "beaconing" is not
a reliable diagnostic of malware behavior. Many normal processes in
Windows initiate outgoing connections on a periodic basis. (Outlook
Mail for example, or RSS feed updates in browsers.) Java, Adobe, MSN,
Yahoo Messenger, virtually any A-V product all "phone home" on a
periodic basis and can cause this kind of socket remnant to be
lingering around.

I suspect you inadvertently said yes to a recent installation of a
toolbar or Java update and it installed something unexpected (Like
Windows Live Toolbar) and it was phoning home periodically when you
didn't expect it.