Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
.........between this post and my last. It seems like the rate that posters are messaging this forum is actually picking up?
I brought a friends system home to work on it. Naturally he has ME installed on it. He said the machine is "posessed" and he would like me to check it out!! I could not find anything wrong with it. I disabled as many running applications as possible. I scanned his system for virii using my system. I disabled the auto update feature. Power saving features were left running. Monitor off after 30 min. Hard disk spindown after 45min. Stand-by after 1hr. Naturally the system drivers, the OS and software have all patches applied. The regestry is pretty clear from running services and applications.
All auto updating features are shut down.So to the point!! Last evening I was restless. I figured that I would catch a late night flick. So while I was watching a move on TV, this PC was sitting there in stan-by mode. At around 2:30AM the machine came back on line. After a few moments several DOS boxes wizzed by then the system went back into stand -by! WOW!! I checked system restore and the machine preformed it's last check-point at 12:01AM. Wake on LAN and anything like that have all been disabled in the BIOS!! I installes Sniffer Pro and created a filter so that any packets sent and recived @ 2:30AM tomrrow morning will be captured so I can rule out TROJAN infestations that might have been over-looked by AVG & NORTON AV..
I have a feeling that M$ is at the heart of the matter...no doubt.
Meanwhile my system running Win2K & my OLD Win98 systems are still running strong!!!
XP will be completely beyond "SPYWARE" and the screws are turning with ME as we speak.
I've noticed and it's always the same problems...but some would say windows ME is the s---s and giggles
0 
0
OK....port 5000 opened. Sent 68 packets out to 207.68.131.27
Using the sniffer I only was able to see encrypted text along with the binary values.
207.68.131.27 is the M$ site. Port 5000 opens with Sockets De Trois (trojan) and the MS site. As to the contents the machine was scanned or per instructions connected and dumped data. I have not had this happen on any of my machines yet no Trojans are present on this system so I can deduce that licence management scanning is being used?!?!
I use sniffers often when looking at connections since I want to find out what info is being sent. Stopping the connection would only put off the connection till another time or attempt. Well I have no idea what was in those packets yet when on stand-by nothing should be waking the machine to send out packets. If auto update was enabled I could see it. I will post more after I run some of the binary strings around my hacker group friends and see what they think about it??
0
i looked up a big discussion over at VirtualDr from a while back for you... you may find it interesting:
http://discussions.virtualdr.com/Forum16/HTML/000885.html
appearently ssdpsrv is using port 5000. this is the component Universal PnP adds to the startup group.
If you don't want it to hit this port anymore, just uninstall Universal PnP from Windows setup>>communications.
I have no idea why this needs to "phone home"... but I thought you might like to know.
0
That would be reasonable, but.............
UPNP is not installed and this machine will wake up and send packets. I know where they are going! I in a way know why! I can't belive it though!?!?! Well without getting into a big thing issues like this will creap up more and more untill we are in .NET LAND!!
The guy that owns the machine wants me to dump ME for 98 as a result. I have also noticed that lots of systems are getting hit with viri as of late that normally would not get "HIT". ME and what lie beyond are thin clients. Regardless of how they preform I really don't want to be involved with this sort of networking. Well, I will clear off the machine tomrrow and get it back to him. If MS has some covert s..t running on his system it could because of something that he installed or some Trojan that is running. This is really unlike anything that I have ever encountered. Normally I don't give up easily, in this case I would call this STRIKE THREE. If I had a little more time to spend I would go with Zone Alarm Pro and find out the name of the application but he wants his machine back. I ran out of applications to disable, remove and shut down in this case. Normally if you run NETSTAT /A port 5000 will be an open UDP port. I remember that Sirdistic claimed that Cult of the Dead Cow would be using port 5000 for an script exploit. Shortly after Win-ME came out and it would seem that MS plugged 5000 by using it! I did not think that any packets would ever be sent or recived by it though. I now see otherwise....
...........Over and Out!!!
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
