by Charlie Bowman, Director of Client Support
Do you think someone is connecting to your PC? Are you paranoid? In today’s Internet environment, it may pay to be somewhat suspicious. I wrote a small batch program that I have on my desktop that I execute from time to time. Whenever I get the feeling that someone is looking over my shoulder, I double click the "What’s Up?" icon on my desktop. A batch program is run that opens Notepad with the information below. It shows me the status and addresses of all connections to or from my machine, what the process is doing, and whether or not it is listening for a connection.
Here is the little batch program:
netstat -ano > c:\netstat.txt
tasklist /svc >>c:\netstat.txt
notepad.exe c:\netstat.txt
Copy and paste this into notepad and store it on your desktop with file name whatsup.bat when you double click on it Windows runs two commands, and puts its output into Notepad and then opens Notepad so you can check what (or who) may be connecting to your machine.
The first part of the screen shot below shows the active connections that have been established between my machine (129.49.223.2xx) and other addresses. Note that all the established connections are with addresses on the .2 and .23 network. Since these subnet numbers are in the computing center I know that these are probably valid connections to known University servers. The last column labeled PID shows the process id of the code that is making the connection. Most of the established connections are by a process id number 3680. The second page is a listing of all process ids and the actual program associated with that PID. Note that the program associated with 3680 is nlnotes.exe. This is the Lotus Notes client. So these connections are all known and valid.
When you find connections to addresses off of the SB network or to some subnet number that is not known to have a valid server, then you may have a virus or Trojan.
Active Connections
Prot Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1056
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2701 0.0.0.0:0 LISTENING 1260
TCP 0.0.0.0:2702 0.0.0.0:0 LISTENING 1260
TCP 0.0.0.0:2967 0.0.0.0:0 LISTENING 1124
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 988
TCP 127.0.0.1:1046 0.0.0.0:0 LISTENING 1788
TCP 127.0.0.1:1103 0.0.0.0:0 LISTENING 2828
TCP 129.49.223.2xx:139 0.0.0.0:0 LISTENING 4
TCP 129.49.223.2xx:1063 129.49.23.117:445 ESTABLISHED 4
TCP 129.49.223.2xx:1139 129.49.2.137:1352 ESTABLISHED 3680
TCP 129.49.223.2xx:1140 129.49.2.137:1533 ESTABLISHED 3680
TCP 129.49.223.2xx:1141 129.49.2.178:1352 ESTABLISHED 3680
TCP 129.49.223.2xx:1146 129.49.2.70:1352 ESTABLISHED 3680
TCP 129.49.223.2xx:1265 129.49.2.15:80 CLOSE_WAIT 856
TCP 129.49.223.2xx:1266 129.49.2.15:80 CLOSE_WAIT 856
TCP 129.49.223.232:1267 129.49.2.178:1352TIME_WAIT 0
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 812
UDP 0.0.0.0:1025 *:* 1200
UDP 0.0.0.0:1026 *:* 1200
UDP 0.0.0.0:4500 *:* 812
UDP 127.0.0.1:123 *:* 1152
UDP 127.0.0.1:1027 *:* 812
UDP 127.0.0.1:1042 *:* 756
UDP 127.0.0.1:1078 *:* 1296
UDP 127.0.0.1:1229 *:* 856
UDP 127.0.0.1:1900 *:* 1308
UDP 129.49.223.2xx:123 *:* 1152
UDP 129.49.223.2xx:137 *:* 4
UDP 129.49.223.2xx:138 *:* 4
UDP 129.49.223.2xx:1900 *:* 1308
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 684 N/A
csrss.exe 732 N/A
winlogon.exe 756 N/A
services.exe 800 Eventlog, PlugPlay
lsass.exe 812 Netlogon, PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 988 DcomLaunch, TermService
svchost.exe 1056 RpcSs
svchost.exe 1152 AudioSrv, CryptSvc, Dhcp, dmserver,
EventSystem, helpsvc, lanmanserver,
LanmanWorkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, w32time, winmgmt, wuauserv
svchost.exe 1200 Dnscache
svchost.exe 1308 LmHosts, RemoteRegistry, SSDPSRV
ccSetMgr.exe 1336 ccSetMgr
ccEvtMgr.exe 1392 ccEvtMgr
spoolsv.exe 1560 Spooler
ASFAgent.exe 208 ASFAgent
DefWatch.exe 252 DefWatch
mdm.exe 448 MDM
ntmulti.exe 476 Multi-user Cleanup Service
retrorun.exe 592 RetroLauncher
SavRoam.exe 668 SavRoam
Rtvscan.exe 1124 Symantec AntiVirus
Wuser32.exe 1260 Wuser32
CcmExec.exe 1296 CcmExec
alg.exe 1788 ALG
wmiprvse.exe 356 N/A
wmiprvse.exe 3032 N/A
explorer.exe 3184 N/A
DSentry.exe 2444 N/A
MXOALDR.EXE 2328 N/A
OneTouch.exe 2468 N/A
WinPatrol.exe 1680 N/A
Directcd.exe 2656 N/A
jusched.exe 2796 N/A
ccApp.exe 2828 N/A
VPTray.exe 2836 N/A
ctfmon.exe 2852 N/A
Printkey2000.exe 2876 N/A
nlnotes.exe 3680 N/A
ntaskldr.exe 2360 N/A
iexplore.exe 856 N/A
cmd.exe 1844 N/A
TASKLIST.EXE 564 N/A
wmiprvse.exe 3784 N/A
For a complete explanation of netstat see:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx?mfr=true
Tags: Add new tag, PC
I have had this problem for sometime now.
I thought i was being paranoid - but you cannot be to cautious with such information as bank details, credit card and other personal items you do not want to disclose.
This is a superb help!
Many thanks