Doug’s Dynamic Drivel

The other day I followed a link from a blog I read. Nothing new there. On the new site I again followed, what turned out to be a deceptively named link, and ended up on a pron site. While I immediately disconnected that session it was too late as I found out later. Knowing that pron sites are among the top sources of loaders, and other assorted nasties I immediately started loading new software and scanning the shit out of my computer starting with a basic command from a windows command prompt.

Here are the options:

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

-a …Displays all connections and listening ports.

-b …Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called,and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

-e …Displays Ethernet statistics. This may be combined with the -s option.

-n …Displays addresses and port numbers in numerical form.

-o …Displays the owning process ID associated with each connection.

-p …proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

-r …Displays the routing table.

-s …Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.

-v …When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables.

interval …Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

I recommend netstat -a -b -v to start with which will return a result like this (only a lot more of it)

TCP doug-home:1080 localhost:1079 ESTABLISHED 3544
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
C:\Program Files\Mozilla Thunderbird\nspr4.dll
C:\Program Files\Mozilla Thunderbird\xpcom_core.dll
ntkrnlpa.exe
C:\Program Files\Mozilla Thunderbird\xpcom_core.dll
ntkrnlpa.exe
C:\Program Files\Mozilla Thunderbird\xpcom_core.dll
ntkrnlpa.exe
[thunderbird.exe]

TCP doug-home:1088 localhost:1089 ESTABLISHED 3984
C:\WINDOWS\system32\WS2_32.dll
C:\Program Files\Mozilla Firefox\nspr4.dll
C:\Program Files\Mozilla Firefox\xpcom_core.dll
ntkrnlpa.exe
C:\Program Files\Mozilla Firefox\xpcom_core.dll
ntkrnlpa.exe
C:\Program Files\Mozilla Firefox\xpcom_core.dll
ntkrnlpa.exe
C:\Program Files\Mozilla Firefox\xpcom_core.dll
[firefox.exe]

You’re looking for things that normally shouldn’t be connecting out. Time to go get some scanners (I should have had them anyway, my bad) to supplement , , and .

First up which has a free 30 day trial then limited functionality afterwards. I will be buying this product for certain. Turns out that msisip.dll while an authentic Windows file had actually been replaced by

Next up: another very good program that removes any . Fortunately there were none once msisip.dll had been quarantined.

Next up install two BHO (Browser Helper Objects) - and , both free and both worth it.

Both of those BHOs will alert you to bad sites if you land on them but the McAfee one is particularly helpful when you are searching on Google as it will warn you right there before you click on a link if there have been bad things reported about that link in the past.

Lesson learned!

Related posts

• No related posts.