IchBin wrote: > IchBin wrote: >> Guy Harris wrote: >>> On Jul 13, 2007, at 5:19 PM, Guy Harris wrote: >>> >>>> (Its output resembles that of netstat, probably intentionally. I >>>> don't know whether any UN*Xes have tools such as that, i.e. either a >>>> command-line or graphical netstat-plus-process-name - probably some >>>> do.) >>> A Linux netstat man page at >>> >>> http://linux.die.net/man/8/netstat >>> >>> indicates that there's a "--process" flag that shows the process ID >>> and process name (probably the first N characters of the last >>> component of the executable name, or something such as that) of the >>> process that owns the socket; you have to be super-user to get that >>> for processes not your own. >>> >>> lsof might also be able to get some information of that sort on some >>> UN*Xes. >>> _______________________________________________ >>> Wireshark-users mailing list >>> [email protected] >>> http://www.wireshark.org/mailman/listinfo/wireshark-users >> Thanks Guy for the info. On windows the format is "Netstat -b". I do not >> see any associated program that started the connection. I suspect that >> programs that monitor the IP processes like WhatsRunning and System >> internals, under windows, are just issuing Netstat commands and then >> capturing the output and display their own display window. At least that >> is what I have done in the pass when writing that type of interface >> using Java. >> > > [SNIP] > >> Again, thanks to you all of your guidance in this thread. This could be >> a mute issue since I am building a new computer and plan to use a >> different and newer windows OS. That is, WinXP SP Pro 64bit which may >> open another can of worms so to speaks >> > > Well after looking around and looking at SmitfraudFix output I see > something that is not correct. > > »»»»»»»»»»»»»»»»»»»»»»»» DNS > > Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 > DNS Server Search Order: 68.87.64.146 > DNS Server Search Order: 68.87.75.194 > > Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 > DNS Server Search Order: 68.87.64.146 > DNS Server Search Order: 68.87.75.194 > > HKLM\SYSTEM\CCS\Services\Tcpip\..\{83A9FF0F-296C-4D45-A153-6B8A6AFF8BCE}: > DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 > ,207.68.160.190 194.25.2.129 208.67.222.222 > HKLM\SYSTEM\CCS\Services\Tcpip\..\{8A153A46-7E4A-44EE-8443-D1D0EA855ABD}: > DhcpNameServer=68.87.64.146 68.87.75.194 > HKLM\SYSTEM\CCS\Services\Tcpip\..\{E55D5B3A-6EDC-4FC0-9E4B-6EEA562E9F44}: > DhcpNameServer=68.87.64.146 68.87.75.194 > HKLM\SYSTEM\CS1\Services\Tcpip\..\{83A9FF0F-296C-4D45-A153-6B8A6AFF8BCE}: > DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 > ,207.68.160.190 194.25.2.129 208.67.222.222 > HKLM\SYSTEM\CS1\Services\Tcpip\..\{8A153A46-7E4A-44EE-8443-D1D0EA855ABD}: > DhcpNameServer=68.87.64.146 68.87.75.194 > HKLM\SYSTEM\CS1\Services\Tcpip\..\{E55D5B3A-6EDC-4FC0-9E4B-6EEA562E9F44}: > DhcpNameServer=68.87.64.146 68.87.75.194 > HKLM\SYSTEM\CS3\Services\Tcpip\..\{83A9FF0F-296C-4D45-A153-6B8A6AFF8BCE}: > DhcpNameServer=207.68.160.190 194.25.2.129 208.67.222.222 > ,207.68.160.190 194.25.2.129 208.67.222.222 > HKLM\SYSTEM\CS3\Services\Tcpip\..\{8A153A46-7E4A-44EE-8443-D1D0EA855ABD}: > DhcpNameServer=68.87.64.146 68.87.75.194 > HKLM\SYSTEM\CS3\Services\Tcpip\..\{E55D5B3A-6EDC-4FC0-9E4B-6EEA562E9F44}: > DhcpNameServer=68.87.64.146 68.87.75.194 > HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 > 68.87.75.194 > HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 > 68.87.75.194 > HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 > 68.87.75.194 > > Not sure why these IP address are defined as a DhcpNameServer in the > windows registry (Not Comcast): > 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 > 208.67.222.222 > > Not sure how to get rid of them either. Instructions I see about these > setting is to avoid changing them. Which does not make sense since I do > not think they should be there in the first place. Not realy sure if > this is apart of any problems I am having but does not look right. Guess > I need to know the implications of having them defined to DhcpNameServer.
Just wanted to close this thread with a happy ending. I finally resolved it yesterday. Long story short it did turn out to be Trojans. Its just that the four virus programs, I run all of the time, never pick them up. Once I had the 4 Trojan names I still could only find a few references aka Google Search. So I guess they are fairly new ones. Oh the program that caught them is a free one and is called 'AVG Free Advisor', http://free.grisoft.com. I happen to find it mentioned in the forums and newsgroups I visited trying to determine what type of software problem I had. You all where right about the ARP traffic. That is, ARP broadcasts were taking very little bandwidth. and that was normal volume. Well not being a network person I just had a hard time reconciling the light on my cable modem being lit on all of the time and I was not downloading\uploading anything. It was not the ARP traffic but the other "Call HOME" traffic. When I use Wireshark now to look at my network card I see the same ARP traffic load but the modem light goes only only sparingly. I think that is just the handshaking with the DHCP server. _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
