[Dshield] Does 126.96.36.199 ring any bell?
dan at dbdigitalweb.com
Thu Jan 8 19:31:27 GMT 2004
Over the holidays, I had a look at my dad's PC (Compaq, Win98).
He had been complaining of significant slowdowns. We did a few
usual things (such as cleaning up, defragmenting). But I also ran
"netstat -n -a" on his system and saw a few strange things:
Well I would like to mention a couple of things. First Compaq's have a
program installed called BackWeb, it is so Compaq people can get into your
system and fix problems when you call for support (in theory anyway). And
spybot S&D will mention it and allow you to remove it. I may be possible
that this was taken over, it does give all the hooks into the system, so
bascially get your foot in the door and you are all set. I don't know what
ports it uses, but I do remember it allows for installing of patches and
automatcially downloading of them. This can all be shut off, but if I
remmember right, it is on by default. In short, if you don't use it, get
rid of it. There should be a uninstall in the add/remove and then run
Spybot S&D to make sure all of it got zaped. And if this does turn out to
be the cause, then it was "taken over" because BackWeb should only resolve
to a compaq IP for any kind of file transfer.
As regard to programs hiding in the process list, oh yes they can. I would
suggest getting something like processviewer (which is free and preaty good)
and will show you a LOT more than standard windows98 viewer will. You might
be able to track it down then if it is not BackWeb.
More information about the list