Guys, thanks a lot for the tips, indeed there was a KLP keylogger.
I removed it, but it seems that something else is amiss, I still see lots of traffic from explorer.exe on the 1472 port. > > from a home computer I'm seeing lots of traffic > > generated from > > explorer on port 1472 towards the microsoft-ds port, > > typically > > on IP addresses starting with 35.xx.xx.xx > > This isn't clear...is it coming from a system you have > control of? I'm going to assume that this is the > case, since it seems you were able to run some kind of > port to process mapping tool. The traffic is indeed coming from a system I have control of, I still have no dumps though. I can see nothing worrying apart from the aforementioned keylogger which has now been removed > > It looks like a worm but I could not find any > > references around > > and Trend Micro detects nothing. > > What makes you say that it looks like a worm? What > kind of activity are you seeing? Do you have > captures? Lots of data is transferred from my computer to the outside world, pretty much all to addresses in the 35.xx.xx.xx range on the microsoft-ds port. Huge amount of short lived connections. I thought it looked like worm activity but I might be wrong. Thanks! -- Giuseppe _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
