David H. Lipman wrote:
> From: "Raffi" <thegrizzzly@yahoo.com>
>
> |
> | Thanks for the reply. Removing the P2P software and clearing the
> | \etc\hosts file did not correct the issue after all. I just logged in
> | with the administrator account and the network activity is no longer
> | there. This seems to be happenning only when I log into my personal
> | account. During my last login, SERVICES.EXE was making the connections
> | rather than SVCHOST.EXE. Is there a way to determine if these files
> | have been tampered with?
> |
> | I'll try to get more information from netstat etc.
> |
> | Raffi
>
> Yes. Download and use Process Explorer
> http://www.microsoft.com/technet/sys...sExplorer.mspx
>
> And look at not only the file name SERVICES.EXE but the fully qualified name and path.
>
> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32
> If they are executed from any other location it is a sure sign of malware.
>
> Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the
> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading
> malicuious DLL files.
>
> You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded
> in you everyday account. You indicated the activity stopped when you logged on as admin.
> thus what may be loaded to cause the activity is being loaded by that personal account.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

Dave,

Thanks for all the help and suggestions. I took the easy way out this
time. I created a new user and transferred all important files
(documents etc) to the new user. Then I deleted the original account.
This fixed the issue.

My guess is that this was some sort of malware. I did download process
explorer for future use. Sorry I couldn't chase this any longer but
this is my main workstation and I have alot of work to do which had
been on hold while I was chasing this.

Thanks,
Raffi