Figuring out which app is responsible for a certain open por

[tnf]

Just got done working through a friends laptop that had 4 or 5 different trojans and the system security spyware issue that replaced their desktop with a warning and blocked access to msconfig, regedit, cmd, etc.

They were using that LegalSounds downloader and also had FlashGet (which apparently had been used to deliver a trojan to a lot of people.)

Anyhow, that is all taken care of, but when I run netstat I am still getting this at port 1035:

static.91.213.78.46.clients.your-server.de:https CLOSE-WAIT

I just want to know what program is establishing that connection - there isn't anything in the startup in msconfig that does.

Any ideas?

[^misantropia^]

`netstat -o`, then cross-reference the PID in the Task Manager (Processes View Select columns PID to enable it).

[tnf]

danke

[Fender]

semi-related, the sysinternals tools can be quite useful
http://technet.microsoft.com/en-us/sysi ... fault.aspx

And if you need to see the contents of the traffic on a network, wireshark works pretty well.
http://www.wireshark.org/

[tnf]

Ok, here's what I run into now. The PID goes back to a copy of svchost that is running. I've cleaned out the startup, but there have to be other issues because it still connects to that IP (the correct address that is showing up in netstat is:

static.91.213.46.78.clients.your-server.de

Found one site that did some research and said it looked like your-server.de might be collecting logs for the RBN (Russian Business Network - which wouldn't surpise me on this machine because they were using that legalsounds.com run by Russians.)

Did a WHOIS on the 91.... IP address and it came back to an orgname of RIPE Network Coordination Centre.

I'm not sure where to go next in terms of figuring out when/what/how this damn connection is being established.

It's a pain in the ass because if you do any searches on this machine, you get redirected to a random shopping website each time you click on a link.

[tnf]

Well, I used wireshark and found out, by monitoring the packets, that every time a google search is done on this machine there is info being sent to ip addresses that resolve back to your-server.de, so the machine's activity is definitely being monitored or logged or something.

But I've reached the end of my expertise, so I will distill my question down to the absolute basics:
you turn on a machine, do a netstat and find an open port like I mentioned above. There is nothing in the startup or processes that indicate how the connection is made and the PID for the connection goes back to svchost.exe

What next?

[^misantropia^]

In the Task Manager, right-click the svchost.exe process and select 'Go to services'. Find the offending service and disable/remove it.

[^misantropia^]

Oh, and make sure the service doesn't automagically restart after a system reboot.

[Fender]

When did "go to services" get added? It isn't in XP. Guessing Vista, but I'm not @ home to check.

[^misantropia^]

Yeah, it's a Vista-only thing. With XP, you'll need to use the Sysinternals tool.

[tnf]

it's running XP, so how do I do that using sysinternals?

Ok, figured I'd probably use Procmon.exe to check out the processes, but this fucking thing is now saying that there isn't enough memory to allocate for the thing. 2 gigs on this laptop with only mcafee loaded up. Tried a safemode with networking, but that wouldn't work as it said it couldn't load the device driver for it. Going to try and download a svchost viewer program.

[^misantropia^]

it's running XP, so how do I do that using sysinternals?

's Easy as pie: double-click svchost.exe, then go to the Services tab.

[tnf]

Ok, this whole thing is getting complicated (for me at least).

Here's where I stand now:

I was able to determine the process in the SVCHOST file that was associated with the PID for the connection to the machine in denmark. The process was DCOMlaunch and something else that started with Term I think. I disabled DCOM in the registry and checked dcomcnfg or whatever and made sure it was off there too, but even with that the connection still gets established and the DCOMLaunch is still there in the svchost file. Did some searching and found that you can't really disable dcomlaunch in XP.

Running a virus scan now (it's 2.5 hours in and still plugging away) thinking maybe I'll get lucky and it will remove the offending code. But if it doesn't, I think I will have to throw in the towel and reformat/reinstall.

they have 15 gigs of mp3s they want me to save though. Some are from iTunes, which leads me to my next question - is there some sort of crazy licensing scheme with files downloaded from iTunes that prevents you from just copying the file to another computer as backup and then copying them back over after reinstalling windows?