From: "Raffi" <thegrizzzly@yahoo.com>
|
| Thanks for the reply. Removing the P2P software and clearing the
| \etc\hosts file did not correct the issue after all. I just logged in
| with the administrator account and the network activity is no longer
| there. This seems to be happenning only when I log into my personal
| account. During my last login, SERVICES.EXE was making the connections
| rather than SVCHOST.EXE. Is there a way to determine if these files
| have been tampered with?
|
| I'll try to get more information from netstat etc.
|
| Raffi
Yes. Download and use Process Explorer
http://www.microsoft.com/technet/sys...sExplorer.mspx
And look at not only the file name SERVICES.EXE but the fully qualified name and path.
SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32
If they are executed from any other location it is a sure sign of malware.
Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the
legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading
malicuious DLL files.
You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded
in you everyday account. You indicated the activity stopped when you logged on as admin.
thus what may be loaded to cause the activity is being loaded by that personal account.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Reply With Quote