Need help - suspicious netstat activity?

dpastern · #1 July 1st, 2007, 06:44 AM

Hi guys - new to the forum, was linked via a google search to this post:

http://www.cybertechhelp.com/forums/...d.php?t=103465

Anyways - several odd things - firstly, I'm on a network, behind a router firewall etc. I'm not the admin of the network. Said network runs McAffee Enterprise 8 anti virus software. My PC runs like a dog (AMD 3000+, 2.5gb RAM, Windows XP pro) and my network connection/Internet connection always seems slower than the rest of the PCs on the network. I don't go to "those" websites (I'm sure you can figure out what I mean), I run the Microsoft anti spyware software on an automated daily scan at 2am, and Spybot once a week. I use both IE 7 and FireFox 2, usually IE though as I prefer it. Windows is patched up to date, and during the install process I installed Windows XP SP1 whilst d/l SP2 via another PC. Whilst setting up XP SP 1, I did not enable networking connectivity, and installed SP2 from CD before enabling it.

I run a bunch of software, the usual stuff, plus my own favourites such as Photoshop CS2, Neat Image, Capture One Pro etc. I can provide a full list of installed applications if you want, just in case it helps. Anyways, when connecting my system back to the network after an initial install of Windows, the anti virus software always has to be manually installed, it never seems to auto install onto my system as it should.

Anyways, here is my netstat file (netstat -ano) for your perusal:

Code:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    MORGOTH:epmap          MORGOTH.dia.net.au:0   LISTENING       888
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    MORGOTH:microsoft-ds   MORGOTH.dia.net.au:0   LISTENING       4
  [System]

  TCP    MORGOTH:8081           MORGOTH.dia.net.au:0   LISTENING       1920
  [FrameworkService.exe]

  TCP    MORGOTH:netbios-ssn    MORGOTH.dia.net.au:0   LISTENING       1020
  -- unknown component(s) --
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  [svchost.exe]

  TCP    MORGOTH:netbios-ssn    MORGOTH.dia.net.au:0   LISTENING       4
  [System]

  TCP    MORGOTH:4828           td-in-f166.google.com:http  ESTABLISHED     2600
  [iexplore.exe]

  TCP    MORGOTH:4829           da-in-f104.google.com:http  ESTABLISHED     2600
  [iexplore.exe]

  TCP    MORGOTH:4880           a203-111-15-232.deploy.akamaitechnologies.com:http  ESTABLISHED     3092
  [MsnMsgr.Exe]

  TCP    MORGOTH:4881           www.games.defencejobs.gov.au:http  ESTABLISHED     3092
  [MsnMsgr.Exe]

  TCP    MORGOTH:4887           by1msg2145217.phx.gbl:1863  ESTABLISHED     3092
  [MsnMsgr.Exe]

  TCP    MORGOTH:4888           c.msn.com:http         LAST_ACK        3092
  [MsnMsgr.Exe]

  TCP    MORGOTH:4877           65.54.239.20:1863      TIME_WAIT       0
  TCP    MORGOTH:4885           207.46.26.253:7001     TIME_WAIT       0
  TCP    MORGOTH:4885           207.46.26.254:7001     TIME_WAIT       0
  TCP    MORGOTH:4886           65.54.239.20:1863      TIME_WAIT       0
  UDP    MORGOTH:1027           *:*                                    1216
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    MORGOTH:4500           *:*                                    668
  [lsass.exe]

  UDP    MORGOTH:8082           *:*                                    1920
  [FrameworkService.exe]

  UDP    MORGOTH:isakmp         *:*                                    668
  [lsass.exe]

  UDP    MORGOTH:1026           *:*                                    1216
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    MORGOTH:8081           *:*                                    1920
  [FrameworkService.exe]

  UDP    MORGOTH:1028           *:*                                    1216
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    MORGOTH:1025           *:*                                    1216
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    MORGOTH:microsoft-ds   *:*                                    4
  [System]

  UDP    MORGOTH:4440           *:*                                    1216
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    MORGOTH:3661           *:*                                    1216
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    MORGOTH:4749           *:*                                    668
  [lsass.exe]

  UDP    MORGOTH:1900           *:*                                    1316
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    MORGOTH:4752           *:*                                    2600
  [iexplore.exe]

  UDP    MORGOTH:ntp            *:*                                    1020
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    MORGOTH:4479           *:*                                    3092
  [MsnMsgr.Exe]

  UDP    MORGOTH:1072           *:*                                    612
  [winlogon.exe]

  UDP    MORGOTH:ntp            *:*                                    1020
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    MORGOTH:netbios-dgm    *:*                                    1020
  -- unknown component(s) --
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    MORGOTH:netbios-ns     *:*                                    1020
  -- unknown component(s) --
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    MORGOTH:1900           *:*                                    1316
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    MORGOTH:netbios-dgm    *:*                                    4
  [System]

  UDP    MORGOTH:discard        *:*                                    3092
  [MsnMsgr.Exe]

  UDP    MORGOTH:netbios-ns     *:*                                    4
  [System]

  UDP    MORGOTH:ntp            *:*                                    1020
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

You'll note several odd things, several lines where it says:

Code:

-- unknown component(s) --

There is also this line:

Code:

TCP    MORGOTH:4881           www.games.defencejobs.gov.au:http  ESTABLISHED     3092
  [MsnMsgr.Exe]

Now, I have never been to this site before, and this only shows on an initial netstat on starting up msn messenger live. If I run a 2nd scan, it doesn't show. Odd? The really odd thing is that I had this problem on a previous install of Windows, and it's back again after format/reinstall. Why? I did a google search on this site and only 2 hits, very very odd in my experience.

Furthermore, none of the other PCs on the network have this issue. It doesn't matter whether it's msn v7.6 (the last version before live messenger), or live messenger, it happens with both. It doesn't matter which user account I log into msn messenger on. I haven't tried logging into someone elses PC with my account details - yet. I want to see if it's an account based issue I guess.

Furthermore, since McAffee software is running, I should have the mcshield.exe process listening via netstat in the background, as several other PCs have it. My PC doesn't. I haven't taken this up with the owner of the network yet, I believe that he will not be interested at all and will just say I'm paranoid.

I'm proudly anti American government in my sentiment, and I'm not afraid to speak out against the atrocities that the US government does, in both terms of freedom, and illegal invasions of other countries and I suspect that this has got me now being spied on by government authorities.

I used to run GNU/Linux, which is my preferred operating system, but since I'm a photographer on the side, I need to use Photoshop/Neat Image/Capture One Pro, which don't run under WINE/Cedega/CrossOver office on Linux.

If you want me to provide other files, etc, I'll be happy to.

Any help/suggestions/ideas would be appreciated.

Cheers,

Dave

Archangel122184 · #2 July 1st, 2007, 03:05 PM

Go download and run TCPView and post the log file here (file/save). This should show us exactly what modules are communicating on which ports. More to the point, we should see what the unknown module is.

dpastern · #3 July 2nd, 2007, 01:28 AM

Quote:

A clear explanation of the problem you are having

When initially signing into MSN Live messenger I have a established connection to this site:

www.games.defencejobs.gov.au

Why? I've never been there before. It happens ONLY on this computer. None of the other computers on the network have this issue. It doesn't matter which hotmail account I use to sign into MSN Live on my PC, it always has this connection. This connection has been happening for quite some time, I've even reformatted and reinstalled Windows and it's still happening. After a small period of time, the connection is dropped, and is showing as 'discard'. Why?

I haven't been able to test signing into another PC with my own hotmail account to see if it's attached to my actual hotmail account. No one here wants to help me test this, self centred *******s.

Also, these unknown components worry me. They could be legit, but they could be malicious as well.

Windows is NOT my preferred operating system, personally, I find it a pile of ****. GNU/Linux is my preferred platform.

I should test this on my mac actually (PowerMac G4, 1ghz, 10.3.9)!!!

Quote:

What doesn't work

Everything seems to work, although my Internet connection seems to be more unstable and slower than the rest of the PCs on the network. Also, my PC runs like a dog, Athlon 3000+ (32 bit) and 2.5gb RAM on Windows XP. chkdsk seems fine, and running defrag doesn't help. Put it this way - my system runs slower than my old Athlon 1gzh with 768mb of RAM imho. I've seen explorer.exe running away with 100+ mb of RAM usage, which is NOT normal in my experience.

Quote:

What does works

Pretty much everything, although there are suspicious things as mentioned above.

Quote:

What you've tried

Usual stuff - I've actually tried tcpview before, and a host of other tools, including running rootkit detection software. Microsoft anti spyware is set to run automatedly once per day at 2am, I quite often check the results via event viewer. I run Spybot once per week, which comes up with a tiny amount of cookie crap, but nothing serious. I've tried formatting and reinstalling Windows a few months back (mainly due to a dying 80gb hard drive though to be honest). I would like the network admin at home to try running ethereal on my IP address to check data going in and out, but since his main job is being a global IT manager for a medium sized company, he isn't really keen on doing that type of work at home in his own personal time. Plus I don't get on with him at all.

Note: On my previous install, I did notice some odd processes running, but didn't screendump it. By the time I researched the process and found that it was a trojan, the process had quit and subsequent searches on the system directory and registry found nothing. My suspicion is that the system was being monitored and the cracker realised I'd cottoned on, so he/she deleted the offending material so I had no proof. All of this is whilst running the McAffee anti virus software, which I think is a pile of crap, but I'm told I MUST run it if I want to log onto the domain here (it's all automated from the server end anyways). Since I wasn't able to get a screendump of the process, the network admin didn't believe me and implied that I was either seeing things or lying, and that the McAffee software is the best on the market and doesn't make mistakes. He also says that weekly scans from the server end of my system come up clean, although we both know that local anti virus scanners can be modified to report the system as clean and hide trojans/rootkits etc.

I'm in the IT industry myself, with a fair bit of experience in general computing, operating systems, and security. I'm quite competent in Windows, GNU/Linux and OS 9/OS X.

Quote:

A description of your network

Internal Class C network. Modem router takes the ADSL connection, routes it via a Cisco router to the rest of the network. 2 servers, one running exchange and some other stuff, the other one is primary a backup PDC. 4 normal workstations on the network, including mine. Modem only accepts necessary ports on incoming/outgoing connections, things like sftp, ssh etc are turned off.

Quote:

Whether its dialup, cable, dsl,...

ADSL 1500/256 connection (crappy ISP connection, but the owner/network admin loves it because of the huge download limit - 80gb per month). I basically browse the web, that's it.

Quote:

Make and model of your modem

Dlink DSL-G604T

Quote:

Whether you have a router (If you do then include the what make & model)

Cisco 831

Quote:

Do you have multiple PCs networked

Yes.

Quote:

Is it wireless or not (If wireless include the make & model of the wireless adapter)

Modem is wireless, but my PC is not. Standard Ethernet connection.

Quote:

Are you using Internet Connection Sharing (ICS)

No.

Quote:

The OS(s) you are using

Windows XP SP 2 (all updates)

Here is the results from the tcpview scan by the way:

Code:

FrameworkService.exe:1920	TCP	MORGOTH:8081			MORGOTH:0			LISTENING	
FrameworkService.exe:1920	UDP	MORGOTH:8082			*:*		
FrameworkService.exe:1920	UDP	MORGOTH:8081			*:*		
iexplore.exe:4008		UDP	MORGOTH:3405			*:*		
lsass.exe:668			UDP	MORGOTH:4500			*:*		
lsass.exe:668			UDP	MORGOTH:isakmp			*:*		
lsass.exe:668			UDP	MORGOTH:4749			*:*		
msnmsgr.exe:3092		TCP	morgoth.dia.net.au:3235		by1msg2145208.phx.gbl:1863	ESTABLISHED	
msnmsgr.exe:3092		UDP	MORGOTH:4479			*:*		
msnmsgr.exe:3092		UDP	morgoth.dia.net.au:discard	*:*		
svchost.exe:1020		TCP	morgoth:netbios-ssn		MORGOTH:0			LISTENING	
svchost.exe:1020		UDP	MORGOTH:ntp			*:*		
svchost.exe:1020		UDP	morgoth:netbios-dgm		*:*		
svchost.exe:1020		UDP	morgoth:ntp			*:*		
svchost.exe:1020		UDP	morgoth:netbios-ns		*:*		
svchost.exe:1020		UDP	morgoth.dia.net.au:ntp		*:*		
svchost.exe:1020		UDP	MORGOTH:bootpc			*:*		
svchost.exe:1216		UDP	MORGOTH:3661			*:*		
svchost.exe:1216		UDP	MORGOTH:1027			*:*		
svchost.exe:1216		UDP	MORGOTH:1026			*:*		
svchost.exe:1216		UDP	MORGOTH:1028			*:*		
svchost.exe:1216		UDP	MORGOTH:1025			*:*		
svchost.exe:1216		UDP	MORGOTH:4440			*:*		
svchost.exe:1316		UDP	MORGOTH:1900			*:*		
svchost.exe:1316		UDP	morgoth.dia.net.au:1900		*:*		
svchost.exe:888			TCP	MORGOTH:epmap			MORGOTH:0			LISTENING	
System:4			TCP	MORGOTH:microsoft-ds		MORGOTH:0			LISTENING	
System:4			TCP	morgoth.dia.net.au:netbios-ssn	MORGOTH:0			LISTENING	
System:4			TCP	morgoth.dia.net.au:3370		isis.dia.net.au:microsoft-ds	ESTABLISHED	
System:4			UDP	MORGOTH:microsoft-ds		*:*		
System:4			UDP	morgoth.dia.net.au:netbios-ns	*:*		
System:4			UDP	morgoth.dia.net.au:netbios-dgm	*:*		
winlogon.exe:612		UDP	MORGOTH:1072			*:*

That was just running it after MSN Live messenger has been running overnight. I logged out, and logged back in, and this is the results:

Code:

[System Process]:0		TCP	morgoth.dia.net.au:3510		horus.dia.net.au:8000	TIME_WAIT	
[System Process]:0		TCP	morgoth.dia.net.au:3514		horus.dia.net.au:8000	TIME_WAIT	
[System Process]:0		TCP	morgoth.dia.net.au:3516		65.54.239.20:1863	TIME_WAIT	
[System Process]:0		TCP	morgoth.dia.net.au:3523		207.46.26.254:7001	TIME_WAIT	
[System Process]:0		TCP	morgoth.dia.net.au:3523		207.46.26.253:7001	TIME_WAIT	
FrameworkService.exe:1920	TCP	MORGOTH:8081			MORGOTH:0	LISTENING	
FrameworkService.exe:1920	UDP	MORGOTH:8082			*:*		
FrameworkService.exe:1920	UDP	MORGOTH:8081			*:*		
iexplore.exe:4008		TCP	morgoth.dia.net.au:3507		po-in-f165.google.com:http	ESTABLISHED	
iexplore.exe:4008		TCP	morgoth.dia.net.au:3509		da-in-f104.google.com:http	ESTABLISHED	
iexplore.exe:4008		UDP	MORGOTH:3405			*:*		
lsass.exe:668			UDP	MORGOTH:4500			*:*		
lsass.exe:668			UDP	MORGOTH:isakmp			*:*		
lsass.exe:668			UDP	MORGOTH:4749			*:*		
msnmsgr.exe:3092		UDP	MORGOTH:4479			*:*		
msnmsgr.exe:3092		TCP	morgoth.dia.net.au:3517		by1msg2175315.phx.gbl:1863	ESTABLISHED	
msnmsgr.exe:3092		TCP	morgoth.dia.net.au:3519		www.games.defencejobs.gov.au:http	ESTABLISHED	
msnmsgr.exe:3092		UDP	morgoth.dia.net.au:discard	*:*		
svchost.exe:1020		TCP	morgoth:netbios-ssn		MORGOTH:0	LISTENING	
svchost.exe:1020		UDP	MORGOTH:ntp			*:*		
svchost.exe:1020		UDP	morgoth:netbios-dgm		*:*		
svchost.exe:1020		UDP	morgoth:ntp			*:*		
svchost.exe:1020		UDP	morgoth:netbios-ns		*:*		
svchost.exe:1020		UDP	morgoth.dia.net.au:ntp		*:*		
svchost.exe:1216		UDP	MORGOTH:3661			*:*		
svchost.exe:1216		UDP	MORGOTH:1027			*:*		
svchost.exe:1216		UDP	MORGOTH:1026			*:*		
svchost.exe:1216		UDP	MORGOTH:1028			*:*		
svchost.exe:1216		UDP	MORGOTH:1025			*:*		
svchost.exe:1216		UDP	MORGOTH:4440			*:*		
svchost.exe:1316		UDP	MORGOTH:1900			*:*		
svchost.exe:1316		UDP	morgoth.dia.net.au:1900		*:*		
svchost.exe:888			TCP	MORGOTH:epmap			MORGOTH:0	LISTENING	
System:4			TCP	MORGOTH:microsoft-ds		MORGOTH:0	LISTENING	
System:4			TCP	morgoth.dia.net.au:netbios-ssn	MORGOTH:0	LISTENING	
System:4			UDP	MORGOTH:microsoft-ds		*:*		
System:4			UDP	morgoth.dia.net.au:netbios-ns	*:*		
System:4			UDP	morgoth.dia.net.au:netbios-dgm	*:*		
winlogon.exe:612		UDP	MORGOTH:1072			*:*

Note the extry entry for the games.defence.gov.au site. I didn't realise that the UNIX utility DIFF had a Windows variant, but just found it and installed it and ran DIFF on the 2 tcpview files, here's the results:

Code:

1c1,6
< FrameworkService.exe:1920	TCP	MORGOTH:8081			MORGOTH:0			LISTENING	
---
> [System Process]:0		TCP	morgoth.dia.net.au:3510		horus.dia.net.au:8000	TIME_WAIT	
> [System Process]:0		TCP	morgoth.dia.net.au:3514		horus.dia.net.au:8000	TIME_WAIT	
> [System Process]:0		TCP	morgoth.dia.net.au:3516		65.54.239.20:1863	TIME_WAIT	
> [System Process]:0		TCP	morgoth.dia.net.au:3523		207.46.26.254:7001	TIME_WAIT	
> [System Process]:0		TCP	morgoth.dia.net.au:3523		207.46.26.253:7001	TIME_WAIT	
> FrameworkService.exe:1920	TCP	MORGOTH:8081			MORGOTH:0	LISTENING	
3a9,10
> iexplore.exe:4008		TCP	morgoth.dia.net.au:3507		po-in-f165.google.com:http	ESTABLISHED	
> iexplore.exe:4008		TCP	morgoth.dia.net.au:3509		da-in-f104.google.com:http	ESTABLISHED	
8d14
< msnmsgr.exe:3092		TCP	morgoth.dia.net.au:3235		by1msg2145208.phx.gbl:1863	ESTABLISHED	
9a16,17
> msnmsgr.exe:3092		TCP	morgoth.dia.net.au:3517		by1msg2175315.phx.gbl:1863	ESTABLISHED	
> msnmsgr.exe:3092		TCP	morgoth.dia.net.au:3519		www.games.defencejobs.gov.au:http	ESTABLISHED	
11c19
< svchost.exe:1020		TCP	morgoth:netbios-ssn		MORGOTH:0			LISTENING	
---
> svchost.exe:1020		TCP	morgoth:netbios-ssn		MORGOTH:0	LISTENING	
17d24
< svchost.exe:1020		UDP	MORGOTH:bootpc			*:*		
26,29c33,35
< svchost.exe:888			TCP	MORGOTH:epmap			MORGOTH:0			LISTENING	
< System:4			TCP	MORGOTH:microsoft-ds		MORGOTH:0			LISTENING	
< System:4			TCP	morgoth.dia.net.au:netbios-ssn	MORGOTH:0			LISTENING	
< System:4			TCP	morgoth.dia.net.au:3370		isis.dia.net.au:microsoft-ds	ESTABLISHED	
---
> svchost.exe:888			TCP	MORGOTH:epmap			MORGOTH:0	LISTENING	
> System:4			TCP	MORGOTH:microsoft-ds		MORGOTH:0	LISTENING	
> System:4			TCP	morgoth.dia.net.au:netbios-ssn	MORGOTH:0	LISTENING

Quote:

What do you have for an IP address?

Code:

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : dia.net.au
        IP Address. . . . . . . . . . . . : 192.168.181.104
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.181.254

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Autoconfiguration IP Address. . . : 169.254.209.192
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . :

Quote:

What is your default gateway?

Code:

192.168.181.254

Quote:

Can you ping your default gateway?

Yes

Thanks for any assistance that you can provide.

Dave

Archangel122184 · #4 July 2nd, 2007, 12:13 PM

To answer your question about www.games.defencejobs.gov.au. The msn messenger is programmed to download and connect to addresses for services. In this case it would see the Australian government is paying to have its games advertised and played through MSN.

I'm not seeing any questionable connections. All of the ports look standard for their services. You have a few options to consider: your hardware is just slower, you don't have enough ram/large enough page file, or you have malware taking up cycles on your computer. If you are sure it isn't the first or second, head over to cyber security and post your concerns there. We aren't allowed to deal with hjt logs etc here.

dpastern · #5 July 2nd, 2007, 01:06 PM

Why don't the other msn connections (2 PCs on this network, and a friends MSN connection) show www.games.defencejobs.gov.au? The bottom section of MSN messenger is where the ads are, but there's never a defence force advert there. And, even if it's a advert, it should NEVER show as an established connection in my exerperience.

It still doesn't explain why and what the unknown components are (even using tcpview). Of course, even more worrying from my perspective is that mcshield.exe isn't running in the background like it is with the other PCs on this network. I know that's something I should take up with the network admin, but I'm not going to hold my breath.

As to performance, a Athlon 3ghz should surely run quicker than an Athlon 1ghz

2.5 GB RAM is more than most people run, and the page file is set to let Windows XP handle it. Studying the performance utility doesn't show me running out of steam (RAM).

I'll fire the Mac up and see what happens via netstat. I find it very odd that only my Windows XP PC shows that address, and the others don't (and I presume that the Mac won't either). I'll probably uninstall MSN Live and install AMSN, it works, works well and doesn't come with junk. That should potentially fix this 'advertising'.

I'm tempted to blow this install away and reinstall Debian GNU/Linux back on the hardware and just run Windows via VMWare.

Thanks for your help.

Dave

Archangel122184 · #6 July 2nd, 2007, 01:57 PM

MSN is very dynamic in its advertising and differs by installed version and proximity to specific networks.

If you want to see the unknown components/verify your services you can download Autoruns.

When you run the program go to options and validate the file signatures. You can look at the modules individually and with signature validation on you can quickly remove drivers that aren't from the company they say they are or drivers from companies you don't wish. A word of warning, this tool can be very dangerous as it will allow you to prevent windows from loading any of the system drivers/services so be very careful. If you like, you can post your log and I'll take a look for anything that would effect your network.