U.S.Robotics 10/100PCI NIC TX
WAN Miniport (IP)
WAN Miniport (L2TP)
WAN Miniport (NetBEUI, Dial IN)
WAN Miniport (NetBEUI, Dial IN)#2
WAN Miniport (NetBEUI, Dial IN)#3
WAN Miniport (NetBEUI, Dial OUT)
WAN Miniport (NetBEUI, Dial OUT)#2
WAN Miniport (NetBEUI, Dial OUT)#3
WAN Miniport (PPTP)


if someone who is a new type user finds these entries and has no knowlege of how they suddenly got there, does it appear as if this machine may have been compromised??

thanks!

;)

lost me on this sea, don't know if this would help?

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com/support/kb/articles/q281/3/36.asp

Did this new user recently set up a network or web connection. These look like network files to me.

Budfred

I suspect his pc has been compromised. He has no connections that he added himself (on purpose), these are in Event Viewer, in a win2k machine with a simple dial-up connection.

but maybe not-

System 8 192.168.0.1 137 LISTEN UDP
System 8 192.168.0.1 138 LISTEN UDP
System 8 0.0.0.0 445 LISTEN UDP
System 8 0.0.0.0 1026 LISTEN TCP
System 8 192.168.0.1 139 LISTEN TCP
System 8 0.0.0.0 445 LISTEN TCP
services.exe 212 0.0.0.0 3005 LISTEN UDP C:\WINNT\system32\services.exe
lsass.exe 224 192.168.0.1 500 LISTEN UDP C:\WINNT\system32\lsass.exe
msimn.exe 372 127.0.0.1 4675 LISTEN UDP C:\Program Files\Outlook Express\msimn.exe
svchost.exe 380 0.0.0.0 135 LISTEN UDP C:\WINNT\system32\svchost.exe
svchost.exe 380 0.0.0.0 135 LISTEN TCP C:\WINNT\system32\svchost.exe
dpcproxy.exe 464 10.1.176.227 3024 66.82.9.29 86 ESTABLISHED TCP C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
dpcproxy.exe 464 127.0.0.1 83 127.0.0.1 4677 TIME_WAIT TCP C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
dpcproxy.exe 464 0.0.0.0 2001 LISTEN TCP C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
dpcproxy.exe 464 0.0.0.0 85 LISTEN TCP C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
svchost.exe 492 192.168.0.1 53 LISTEN UDP C:\WINNT\System32\svchost.exe
svchost.exe 492 192.168.0.1 68 LISTEN UDP C:\WINNT\System32\svchost.exe
svchost.exe 492 192.168.0.1 67 LISTEN UDP C:\WINNT\System32\svchost.exe
svchost.exe 492 0.0.0.0 3001 LISTEN UDP C:\WINNT\System32\svchost.exe
svchost.exe 492 192.168.0.1 3004 LISTEN TCP C:\WINNT\System32\svchost.exe
svchost.exe 492 192.168.0.1 3003 LISTEN TCP C:\WINNT\System32\svchost.exe
svchost.exe 492 192.168.0.1 3002 LISTEN TCP C:\WINNT\System32\svchost.exe
MSTask.exe 568 0.0.0.0 1025 LISTEN TCP C:\WINNT\system32\MSTask.exe
IEXPLORE.EXE 952 127.0.0.1 4685 LISTEN UDP C:\Program Files\Internet Explorer\IEXPLORE.EXE
Weather.exe 1056 127.0.0.1 3029 LISTEN UDP C:\Program Files\AWS\WeatherBug\Weather.exe
DPCNAV.EXE 1232 10.1.176.227 6531 LISTEN UDP C:\PROGRA~1\DIRECWAY\bin\DPCNAV.EXE
DPCNAV.EXE 1232 0.0.0.0 6688 LISTEN UDP C:\PROGRA~1\DIRECWAY\bin\DPCNAV.EXE
DPCNAV.EXE 1232 10.1.176.227 4664 LISTEN UDP C:\PROGRA~1\DIRECWAY\bin\DPCNAV.EXE
DPCNAV.EXE 1232 10.1.176.227 6599 LISTEN UDP C:\PROGRA~1\DIRECWAY\bin\DPCNAV.EXE
DPCNAV.EXE 1232 10.1.176.227 2464 LISTEN UDP C:\PROGRA~1\DIRECWAY\bin\DPCNAV.EXE
RTMService.exe 1520 0.0.0.0 3385 LISTEN UDP C:\Program Files\Remote Task Manager\RTMService.exe
RTMService.exe 1520 0.0.0.0 3384 LISTEN TCP C:\Program Files\Remote Task Manager\RTMService.exe


??

System 8 192.168.0.1 139 LISTEN TCP ...... remote host.... glocksoft.com.... thats probobly remote port 80 Iexplore.exe
which is a network monitor this feature is available under Windows NT/2000/XP

Have you used the run command >cmd>type>netstat /?. and find out what this stuff is? GH definatly is the security brains here on this stuff.

First, looks like the machine is running DirecPC...so that will have a host of unusual network entries. Especially if it is the one-way version, because both the modem and the satellite connection will be running at the same time. (Modem for uploads and satellite for down).

WeatherBug has been associated with Gator (it is installed with some downloads), but it still sends/recieves what would be odd looking requests if you aren't expecting them.

For example, one program we currently offer to some people who download WeatherBug is called "Gator." Gator is an enormously popular timesaving tool for people who surf the web. Some WeatherBug users have asked if Gator is "Spyware." It is clearly not.

(although I think they are being misled (misleading?), because Gator IS spyware)

And Remote Task Manager?

sheesh....

thanks for the analysis guys, I just thought it looked "funny" to me, and the person says "My add/remove programs in the control panel does nothing but blink once when I double click it. I am running Win 2K"

and that it just started yesterday.

he also got the following in event viewer:


--------------------------------------------------------------------------------
If it will help any here are some of the warnings & errors.

WARNING - Remote access , Dhep, #2, #20, #32, #1007, #11050, #20169

ERROR - Service Control Manager, #7000, #7001, #7002, #7031, #12291, #30013, #31012, #32003

I wouldn't say 100% that it can't be, but there doesn't seem to be any thing obvious...

Why don't you grab one of the anti-trojans from my list and give it a whirl?

The add/remove not working properly would be more worrysome to me....

thanks- yes that is worrying, but have found no answer yet.

;)

OK, let me start with the first part.


U.S.Robotics 10/100PCI NIC TX
WAN Miniport (IP)
WAN Miniport (L2TP)
WAN Miniport (NetBEUI, Dial IN)
WAN Miniport (NetBEUI, Dial IN)#2
WAN Miniport (NetBEUI, Dial IN)#3
WAN Miniport (NetBEUI, Dial OUT)
WAN Miniport (NetBEUI, Dial OUT)#2
WAN Miniport (NetBEUI, Dial OUT)#3
WAN Miniport (PPTP)



This looks to be settings for dialing into another computer not the internet. (or it's just been configured wrong) Notice the use of Netbeui and the tunneling protocols (PPTP,L2TP). Did you take a look at the "dial up" connections to see what he's setup to dial out to?


Now as to the list of "listening" ports..... You'll want to disable the server service if he's not sharing files or at the very least unbind "file and print sharing" from the internet interface. (disable it from the network properties for that interface.) As a lot of his ports are "file sharing" ones.


The worst of this bunch is the RTMService process. This is a program called Remote Task manager and is part of the Remote Assistance feature included with XP( but not Windows 2000) But can also be had as a 3rd party addon program and is proably installed on this guy's computer.


I would also question just what role does this computer play on this guy's network. Since it listening on port 53 UDP which is a DNS server port. Is this part of the satellite link software (DirectPC that MJC mentioned) for sharing the connection? ( the satellite link might also explain the dial out entries for accessing a remote computer.)



My add/remove programs in the control panel does nothing but blink once when I double click it. I am running Win 2K"



Try this MSKB article:

Q265829 (http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q265829&)




The list of event viewer errors (DHCP I assume not DHEP :) ) says that his DHCP or DNS server is not starting. Agian I would question just what role this computer plays on this guy's network. (You might want to look in "services" and see just what is starting up on this computer)

The server manager errors are for services that won't start.



Good Luck :)

Alarm bells just went off when I saw these entries.

;)