Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remote Address Twins


  • Please log in to reply
19 replies to this topic

#1 mountainlake

mountainlake

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 05 March 2009 - 08:41 AM

Hello ! Often when I check the remote addresses with "CurrPorts", I see twins or even double twins (2 or 4 exactly identical
remote addresses) on different ports with following numbers. It mostly happens with addresses like for example
213.248.111.122.customer.teliacarrier.com or 74.125.79.102 ey-in-f102.google.com.
Furthermore those twins seem to connect other single remote addresses with no explicite name. This happens with
IExplorer7, but also with GoogleChrome or Firefox.
I run Vista with Norton Internet Security and I didn't find the way to block neither specified names nor IP-Addresses.

Is this normal ? Scans with Spybot and Norton indicate that my system is clean, also HijackThis seems normal to me.

Thanks for help in this issue !

BC AdBot (Login to Remove)

 


#2 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 06 March 2009 - 06:59 PM

Should I add that all these connections are linked to the TCP
to attract more attention ?

:thumbsup:

#3 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:43 AM

Posted 06 March 2009 - 08:02 PM

Hi and welcome to BleepingComputer :thumbsup: Sorry we missed your topic. Let's take a look with Malwarebytes.

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#4 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 07 March 2009 - 09:11 AM

Hi , thanks for your help , I followed your instructions. Here is the mbam log file
(it's unfortunately written in french, even if I checked "english" in the beginning):

-----------------------------------------------------------

Malwarebytes' Anti-Malware 1.34
Version de la base de données: 1825
Windows 6.0.6001 Service Pack 1

07.03.2009 14:14:42
mbam-log-2009-03-07 (14-14-42).txt

Type de recherche: Examen rapide
Eléments examinés: 61960
Temps écoulé: 3 minute(s), 9 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

---------------------------------------------------

Essentially it means that all is OK. By the way, the day before yesterday I made a complete scan
with Malwarebytes with the same result. I desinstalled and reinstalled it according to your instructions.

In what concerns the twins, may be the following details may give further informations , it happened just before :

I launched IExplorer (with Google startpage) : as exspected a single remote address appeared,
like "ww-in-f147.google.com" (but at this stage already the twins often appear), then I waited to make sure
that even this single disappeared. Afterwards I connected over the favorites to "beepingcomputer.com" and
then appeared the same google-address (which already had disappeared before) and a "beepingcomputer.com"-twin,
but which was already in "Close Wait" stage, when I checked it , while the google connection remained established
and I even could not close it manually with CurrPorts.
But there are many other variations, sometimes even up to 8 identical remote addresses can appear accompagnied
by other stuff and , of course, it happens sytematically when I connect with a search-link.
Normally the twins remain established and I can't close manually neither one nor the other.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:43 AM

Posted 07 March 2009 - 11:51 AM

Have you reset your router and given it a strong password?
Chewy

No. Try not. Do... or do not. There is no try.

#6 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 08 March 2009 - 05:45 AM

Hi. yes , at least as it seems to me. I use the default values written on the box of my rooter
(and I'm sure noone else than me ever saw them) for pin code and WPA, which are long and strong :thumbsup:

In any case it's not a wireless issue, 'cause there are actually no other computers near the place I live.

I made a reset twice some weeks ago (for other reasons) but without changing the passwords.
Anyway it seems to me they are integrated and I don't know really how to change them.

Thanks for your answer !

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:43 AM

Posted 08 March 2009 - 08:47 AM

This has nothing to do with wireless and external hackers

Log onto your router according to the manufacturers directions

If you don't have to use a stong password then an infection can log on also and then set dns servers for your connection
Chewy

No. Try not. Do... or do not. There is no try.

#8 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 11 March 2009 - 05:11 PM

Sorry for the late reaction.

I did a reset and changed the password for the router and even the admin password.
Now I have really leven onger and stronger passwords as before in both.

Unfortunately there are no changes in what concerns the twins.
What surprises me too is that, as it seems, noone else has these twin problems.
By the way, all sites I visit have excellent reputation (according to the WOT IE-add I installed today).
If you say it has nothing to do with external hackers, does this mean that I don't need to worry about
these twins ? :thumbsup:

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:43 AM

Posted 11 March 2009 - 05:50 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


and please start currports, select all, use the floppy picture and save as report.text, copy into reply

What area of the world are you from?
Chewy

No. Try not. Do... or do not. There is no try.

#10 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 11 March 2009 - 07:05 PM

Hi, thanks for the answer !
I live in the french alpes.

here comes the smit report :

SmitFraudFix v2.402

Scan done at 0:51:51.77, 12.03.2009
Run from C:\Users\Je\Downloads\SmitfraudFix
OS: Microsoft Windows [version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\System32\ASUSTPE.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Windows\ASScrPro.exe
C:\Program Files\PowerForPhone\PowerForPhone.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\LAC


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\LAC\AppData\Local\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\LAC\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\LAC\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Atheros AR5007EG Wireless Network Adapter
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FED220C7-451D-4429-B526-E4E937223FE6}: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


and here the currports (with the bleepingcomputer twins) :

ccApp.exe 2192 TCP 49754 127.0.0.1 0.0.0.0 Listening C:\Program Files\Common Files\Symantec Shared\ccApp.exe Symantec Security Technologies Symantec User Session 106.2.0.21 Symantec Corporation 12.03.2009 00:55:45 A 12.03.2009 00:57:29
ccApp.exe 2192 TCP 49755 ::1 :: Listening C:\Program Files\Common Files\Symantec Shared\ccApp.exe Symantec Security Technologies Symantec User Session 106.2.0.21 Symantec Corporation 12.03.2009 00:55:45 A 12.03.2009 00:57:29
iexplore.exe 5784 TCP 49757 192.168.1.20 80 http 208.43.87.2 www.bleepingcomputer.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 00:56:48 PCLAC\Je A 12.03.2009 00:57:29 BleepingComputer.com - Computer Help Forums - Windows Internet Explorer
iexplore.exe 5784 TCP 49758 192.168.1.20 80 http 208.43.87.2 www.bleepingcomputer.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 00:56:48 PCLAC\Je A 12.03.2009 00:57:29 BleepingComputer.com - Computer Help Forums - Windows Internet Explorer
iexplore.exe 5784 TCP 49759 192.168.1.20 80 http 208.43.120.24 208.43.120.24-static.reverse.softlayer.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 00:56:48 PCLAC\Je A 12.03.2009 00:57:29 BleepingComputer.com - Computer Help Forums - Windows Internet Explorer
iexplore.exe 5784 TCP 49760 192.168.1.20 80 http 74.125.79.127 ey-in-f127.google.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 00:56:48 PCLAC\Je A 12.03.2009 00:57:29 BleepingComputer.com - Computer Help Forums - Windows Internet Explorer
iexplore.exe 5784 UDP 53464 127.0.0.1 C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 00:56:48 PCLAC\Je A 12.03.2009 00:57:29 BleepingComputer.com - Computer Help Forums - Windows Internet Explorer
System 936 TCP 135 epmap 0.0.0.0 0.0.0.0 Listening N/A RpcSs 12.03.2009 00:57:29
System 4 TCP 139 netbios-ssn 192.168.1.20 0.0.0.0 Listening N/A 12.03.2009 00:57:29
System 620 TCP 49152 0.0.0.0 0.0.0.0 Listening N/A 12.03.2009 00:57:29
System 1080 TCP 49153 0.0.0.0 0.0.0.0 Listening N/A Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc 12.03.2009 00:57:29
System 716 TCP 49154 0.0.0.0 0.0.0.0 Listening N/A KeyIso, SamSs 12.03.2009 00:57:29
System 1200 TCP 49155 0.0.0.0 0.0.0.0 Listening N/A AeLookupSvc, Appinfo, BITS, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS 12.03.2009 00:57:29
System 2400 TCP 49156 0.0.0.0 0.0.0.0 Listening N/A PolicyAgent 12.03.2009 00:57:29
System 692 TCP 49157 0.0.0.0 0.0.0.0 Listening N/A 12.03.2009 00:57:29
System 4 TCP 445 microsoft-ds 0.0.0.0 0.0.0.0 Listening N/A 12.03.2009 00:57:29
System 4 TCP 5357 0.0.0.0 0.0.0.0 Listening N/A 12.03.2009 00:57:29
System 1388 UDP 123 ntp 0.0.0.0 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 4 UDP 137 netbios-ns 192.168.1.20 N/A 12.03.2009 00:57:29
System 4 UDP 138 netbios-dgm 192.168.1.20 N/A 12.03.2009 00:57:29
System 1200 UDP 500 isakmp 0.0.0.0 N/A AeLookupSvc, Appinfo, BITS, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS 12.03.2009 00:57:29
System 1388 UDP 1900 ssdp 127.0.0.1 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 1900 ssdp 192.168.1.20 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 3702 upnp-discovery 0.0.0.0 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1200 UDP 4500 ipsec-msft 0.0.0.0 N/A AeLookupSvc, Appinfo, BITS, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS 12.03.2009 00:57:29
System 1612 UDP 5355 llmnr 0.0.0.0 N/A CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv, TermService 12.03.2009 00:57:29
System 1200 UDP 49429 127.0.0.1 N/A AeLookupSvc, Appinfo, BITS, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS 12.03.2009 00:57:29
System 1388 UDP 50302 0.0.0.0 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 50321 192.168.1.20 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 50322 127.0.0.1 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 936 TCP 135 epmap :: :: Listening N/A RpcSs 12.03.2009 00:57:29
System 4 TCP 445 microsoft-ds :: :: Listening N/A 12.03.2009 00:57:29
System 4 TCP 5357 :: :: Listening N/A 12.03.2009 00:57:29
System 620 TCP 49152 :: :: Listening N/A 12.03.2009 00:57:29
System 1080 TCP 49153 :: :: Listening N/A Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc 12.03.2009 00:57:29
System 716 TCP 49154 :: :: Listening N/A KeyIso, SamSs 12.03.2009 00:57:29
System 1200 TCP 49155 :: :: Listening N/A AeLookupSvc, Appinfo, BITS, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS 12.03.2009 00:57:29
System 2400 TCP 49156 :: :: Listening N/A PolicyAgent 12.03.2009 00:57:29
System 692 TCP 49157 :: :: Listening N/A 12.03.2009 00:57:29
System 1388 UDP 123 ntp :: N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1200 UDP 500 isakmp :: N/A AeLookupSvc, Appinfo, BITS, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS 12.03.2009 00:57:29
System 1388 UDP 1900 ssdp ::1 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 3702 upnp-discovery :: N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1612 UDP 5355 llmnr :: N/A CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv, TermService 12.03.2009 00:57:29
System 1388 UDP 50303 :: N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 50317 fe80::342d:177b:aa88:b119 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 50318 fe80::c1bf:b180:4ce1:c2bc N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 50319 ::1 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29
System 1388 UDP 50320 fe80::100:7f:fffe N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient 12.03.2009 00:57:29

#11 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 11 March 2009 - 07:11 PM

Sorry, the currports came out in complete confusion, don't know how to arrange them :thumbsup:

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:43 AM

Posted 11 March 2009 - 08:12 PM

I just ran it on my system this morning, I don't think you are infected but I would like you to do a reboot and capture a new log with no browser open, use word wrap in notepad

next open IE and come to Bleepin, have no other tabs open, select IE from the curr window and save that part only

==================================================
Process Name : iexplore.exe
Process ID : 784
Protocol : UDP
Local Port : 1475
Local Port Name :
Local Address : 127.0.0.1
Remote Port :
Remote Port Name :
Remote Address :
Remote Host Name :
State :
Process Path : C:\Program Files\internet explorer\iexplore.exe
Product Name : Microsoft® Windows® Operating System
File Description : Internet Explorer
File Version : 6.00.2900.5512 (xpsp.080413-2105)
Company : Microsoft Corporation
Process Created On: 3/11/2009 8:55:48 PM
User Name : XXXXXXXXXXX
Process Services :
Process Attributes: A
Added On : 3/11/2009 9:07:18 PM
Module Filename : C:\WINDOWS\system32\WININET.dll
Remote IP Country :
Window Title : BleepingComputer.com -> Replying in Remote Address Twins - Microsoft Internet Explorer
==================================================

Some web pages keep ports open for a while after closing them???
Chewy

No. Try not. Do... or do not. There is no try.

#13 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 11 March 2009 - 08:59 PM

OK, I'll do so tomorrow morning, if you don't mind. It's 3:00 AM here and I had a hard day.

But I already can answer to your question, that I didn't notice that , only sometimes
at the bottom of the currports page a port with an associated webpage remains
for a while in "Time wait" status with a 0 process and sometimes when I try to close
manually a port, one or several other ports close instead of the selected one.
Or a change occurs and the selected one closes, but another one opens instead,
as if it was "behind" the selected one, I wanted to close.
The twins don't correspond neccessarily to the open webpage, as it is the case here
with the bleepingcomputer twins. In this example it couldn't have been an "ancient"
open webpage, 'cause I closed the session and run the smit in my administrator account,
then closed the session there and came back to my standard account, I usually use to
go online.

Have a nice day and thanks again for your help :thumbsup:

#14 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 12 March 2009 - 05:08 AM

so here comes the log after reboot :

ccApp.exe 1220 TCP 49159 127.0.0.1 0.0.0.0 Listening C:\Program Files\Common Files\Symantec Shared\ccApp.exe Symantec Security Technologies Symantec User Session 106.2.0.21 Symantec Corporation 12.03.2009 10:22:58 A 12.03.2009 10:23:36
ccApp.exe 1220 TCP 49160 ::1 :: Listening C:\Program Files\Common Files\Symantec Shared\ccApp.exe Symantec Security Technologies Symantec User Session 106.2.0.21 Symantec Corporation 12.03.2009 10:22:58 A 12.03.2009 10:23:36
System 928 TCP 135 epmap 0.0.0.0 0.0.0.0 Listening N/A RpcSs 12.03.2009 10:23:36
System 4 TCP 139 netbios-ssn 192.168.1.20 0.0.0.0 Listening N/A 12.03.2009 10:23:36
System 620 TCP 49152 0.0.0.0 0.0.0.0 Listening N/A 12.03.2009 10:23:36
System 1068 TCP 49153 0.0.0.0 0.0.0.0 Listening N/A Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc 12.03.2009 10:23:36
System 1168 TCP 49154 0.0.0.0 0.0.0.0 Listening N/A AeLookupSvc, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, ShellHWDetection, Themes 12.03.2009 10:23:36
System 692 TCP 49155 0.0.0.0 0.0.0.0 Listening N/A KeyIso, SamSs 12.03.2009 10:23:36
System 2128 TCP 49156 0.0.0.0 0.0.0.0 Listening N/A PolicyAgent 12.03.2009 10:23:36
System 660 TCP 49157 0.0.0.0 0.0.0.0 Listening N/A 12.03.2009 10:23:36
System 4 TCP 445 microsoft-ds 0.0.0.0 0.0.0.0 Listening N/A 12.03.2009 10:23:36
System 4 TCP 5357 0.0.0.0 0.0.0.0 Listening N/A 12.03.2009 10:23:36
System 1392 UDP 123 ntp 0.0.0.0 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 4 UDP 137 netbios-ns 192.168.1.20 N/A 12.03.2009 10:23:36
System 4 UDP 138 netbios-dgm 192.168.1.20 N/A 12.03.2009 10:23:36
System 1168 UDP 500 isakmp 0.0.0.0 N/A AeLookupSvc, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, ShellHWDetection, Themes 12.03.2009 10:23:36
System 1392 UDP 1900 ssdp 127.0.0.1 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 1900 ssdp 192.168.1.20 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 3702 upnp-discovery 0.0.0.0 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1168 UDP 4500 ipsec-msft 0.0.0.0 N/A AeLookupSvc, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, ShellHWDetection, Themes 12.03.2009 10:23:36
System 1600 UDP 5355 llmnr 0.0.0.0 N/A CryptSvc, Dnscache, NlaSvc, TapiSrv, TermService 12.03.2009 10:23:36
System 1392 UDP 55861 0.0.0.0 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 62013 192.168.1.20 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 62014 127.0.0.1 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 928 TCP 135 epmap :: :: Listening N/A RpcSs 12.03.2009 10:23:36
System 4 TCP 445 microsoft-ds :: :: Listening N/A 12.03.2009 10:23:36
System 4 TCP 5357 :: :: Listening N/A 12.03.2009 10:23:36
System 620 TCP 49152 :: :: Listening N/A 12.03.2009 10:23:36
System 1068 TCP 49153 :: :: Listening N/A Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc 12.03.2009 10:23:36
System 1168 TCP 49154 :: :: Listening N/A AeLookupSvc, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, ShellHWDetection, Themes 12.03.2009 10:23:36
System 692 TCP 49155 :: :: Listening N/A KeyIso, SamSs 12.03.2009 10:23:36
System 2128 TCP 49156 :: :: Listening N/A PolicyAgent 12.03.2009 10:23:36
System 660 TCP 49157 :: :: Listening N/A 12.03.2009 10:23:36
System 1392 UDP 123 ntp :: N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1168 UDP 500 isakmp :: N/A AeLookupSvc, Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, ShellHWDetection, Themes 12.03.2009 10:23:36
System 1392 UDP 1900 ssdp ::1 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 3702 upnp-discovery :: N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1600 UDP 5355 llmnr :: N/A CryptSvc, Dnscache, NlaSvc, TapiSrv, TermService 12.03.2009 10:23:36
System 1392 UDP 55862 :: N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 62009 fe80::342d:177b:aa88:b119 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 62010 fe80::c1bf:b180:4ce1:c2bc N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 62011 ::1 N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36
System 1392 UDP 62012 fe80::100:7f:fffe N/A EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc 12.03.2009 10:23:36


and this is the IE-part after coming back to this thread (and indeed there is only the startpage port which apparently remained open and
not even a single bleepingcomputer port though I navigated through 3 pages to reach this thread :thumbsup:

iexplore.exe 5860 TCP 49169 192.168.1.20 80 http 74.125.79.127 ey-in-f127.google.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 10:31:56 PCLAC\Je A 12.03.2009 10:33:27 Search Results - Windows Internet Explorer
iexplore.exe 5860 UDP 58245 127.0.0.1 C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 10:31:56 PCLAC\Je A 12.03.2009 10:33:27 Search Results - Windows Internet Explorer

***
"The absence of proof is not the proof of absence." (chinese) :flowers:

#15 mountainlake

mountainlake
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 12 March 2009 - 05:43 PM

So here I add what happens, step by step, when I log into my hotmail account

0. Before rebooting I run CCleaner, keeping only some necessary cookies
1. After reboot I open IExplorer at the Google startpage (the twins appear):

iexplore.exe 5608 TCP 49162 192.168.1.20 80 http 74.125.77.147 ew-in-f147.google.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:13:43 Google - Windows Internet Explorer
iexplore.exe 5608 TCP 49163 192.168.1.20 80 http 74.125.77.147 ew-in-f147.google.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:13:43 Google - Windows Internet Explorer
iexplore.exe 5608 UDP 51555 127.0.0.1 C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:13:44 Google - Windows Internet Explorer

2. Over the favorite menu I acceed the login-page of my hotmail account (username without password) (double twins):

iexplore.exe 5608 TCP 49170 192.168.1.20 80 http 213.248.125.8 213-248-125-8.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:15:28 Connexion - Windows Internet Explorer
iexplore.exe 5608 TCP 49171 192.168.1.20 80 http 213.248.125.8 213-248-125-8.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:15:28 Connexion - Windows Internet Explorer
iexplore.exe 5608 TCP 49172 192.168.1.20 80 http 213.248.125.8 213-248-125-8.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:15:28 Connexion - Windows Internet Explorer
iexplore.exe 5608 TCP 49173 192.168.1.20 80 http 213.248.125.8 213-248-125-8.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:15:28 Connexion - Windows Internet Explorer
iexplore.exe 5608 TCP 49174 192.168.1.20 80 http 213.248.125.73 213-248-125-73.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:15:28 Connexion - Windows Internet Explorer
iexplore.exe 5608 UDP 51555 127.0.0.1 C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:15:28 Connexion - Windows Internet Explorer

3. I log into my hotmail account :

iexplore.exe 5608 TCP 49178 192.168.1.20 80 http 64.4.20.184 dp3.mail.live.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49179 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49180 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49181 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49182 192.168.1.20 80 http 213.248.125.73 213-248-125-73.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49183 192.168.1.20 80 http 213.248.125.73 213-248-125-73.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49185 192.168.1.20 80 http 65.55.195.60 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49186 192.168.1.20 80 http 207.46.120.38 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49187 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49188 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49189 192.168.1.20 80 http 65.55.149.123 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49190 192.168.1.20 80 http 65.55.162.252 help.live.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49191 192.168.1.20 80 http 213.248.125.57 213-248-125-57.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49192 192.168.1.20 80 http 192.221.97.126 Close Wait C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49193 192.168.1.20 80 http 213.248.125.57 213-248-125-57.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49195 192.168.1.20 80 http 213.199.141.141 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49196 192.168.1.20 80 http 213.199.141.140 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49197 192.168.1.20 80 http 213.199.141.141 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49198 192.168.1.20 80 http 192.221.97.126 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49199 192.168.1.20 80 http 199.93.50.126 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49200 192.168.1.20 80 http 199.93.50.126 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 UDP 51555 127.0.0.1 C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:16:32 Windows Live Hotmail - Windows Internet Explorer

4. I open Inbox :

iexplore.exe 5608 TCP 49178 192.168.1.20 80 http 64.4.20.184 dp3.mail.live.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49179 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49180 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49181 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49182 192.168.1.20 80 http 213.248.125.73 213-248-125-73.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49183 192.168.1.20 80 http 213.248.125.73 213-248-125-73.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49185 192.168.1.20 80 http 65.55.195.60 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49186 192.168.1.20 80 http 207.46.120.38 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49187 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49188 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49189 192.168.1.20 80 http 65.55.149.123 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49190 192.168.1.20 80 http 65.55.162.252 help.live.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49191 192.168.1.20 80 http 213.248.125.57 213-248-125-57.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49193 192.168.1.20 80 http 213.248.125.57 213-248-125-57.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49195 192.168.1.20 80 http 213.199.141.141 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49196 192.168.1.20 80 http 213.199.141.140 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49197 192.168.1.20 80 http 213.199.141.141 Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 TCP 49201 192.168.1.20 80 http 213.248.125.99 213-248-125-99.customer.teliacarrier.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer
iexplore.exe 5608 UDP 51555 127.0.0.1 C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:13:33 PCLAC\Je A 12.03.2009 23:17:20 Windows Live Hotmail - Windows Internet Explorer

5. I exit IExplorer
6. I come to this thread :

iexplore.exe 5376 TCP 49210 192.168.1.20 80 http 74.125.39.127 fx-in-f127.google.com Established C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:24:43 PCLAC\Je A 12.03.2009 23:26:28 Search Results - Windows Internet Explorer
iexplore.exe 5376 UDP 63009 127.0.0.1 C:\Program Files\Internet Explorer\iexplore.exe Windows® Internet Explorer Internet Explorer 7.00.6000.16386 (vista_rtm.061101-2205) Microsoft Corporation 12.03.2009 23:24:43 PCLAC\Je A 12.03.2009 23:26:28 Search Results - Windows Internet Explorer

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users