Re: host190.216.26.168.maximumasp.com:80 CLOSE_WAIT
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 07/07/05
- Next message: Alan Edwards: "Re: E-mail says: WON A MICROSOFT PRIZE"
- Previous message: Valery Pryamikov: "Re: Ann: Beta of new version of RunAsAdmin is on Sourceforge."
- In reply to: lambomadness: "Re: host190.216.26.168.maximumasp.com:80 CLOSE_WAIT"
- Next in thread: lambomadness: "Re: host190.216.26.168.maximumasp.com:80 CLOSE_WAIT"
- Reply: lambomadness: "Re: host190.216.26.168.maximumasp.com:80 CLOSE_WAIT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 7 Jul 2005 02:52:24 -0500
I would use Task Manager or Process Explorer to see if you can find any
process that is on your computer that does not exist on a like configured
computer that is not having a problem. When you use Process Explorer if you
find a process that is mapped to an executable that has no publisher name
associated with it that is a red flag though on rare occasion a legitimate
process may not show a name. Again if booting into safe mode makes things
work a lot better then most likely you have a rouge process on your
computer.
I just repaired my computer where I found a virus running on it. I used two
different spyware programs and two virus detection programs and nothing was
found. With Process Explorer I found an unknown process running via file
named \Windows\mscarrt32.exe that was also using port 1053 as a source port
on my computer to attempt to connect to another computer on the internet.
The virus was configured to be a service and it also modified my hosts file
to show 127.0.0.1 for all the common sites for malware help. I noticed
something was up as my computer was sluggish and the command prompt, Task
manager, nor registry editor would open. I stopped the service, deleted the
associated registry key, and deleted the file. The reason I mention this is
that there appears to be more and more malware going around that is not
being detected by antivirus programs or at least right away. I suspect my
daughter or wife downloaded or opened something and answered "yes" when they
should have not.
Anyhow check for strange processes/services as a start. If you find anything
use Google to search for the name of the file you find to see if it brings
up anything that may be helpful. Trend Micro has a free tool called Sysclean
that may also be worth a try. Just download Sysclean and the current pattern
file to a common folder to run from - very easy to do. --- Steve
http://www.trendmicro.com/download/dcs.asp --- Sysclean
http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip file
"lambomadness" <lambomadness@discussions.microsoft.com> wrote in message
news:BCF386FE-5893-4717-A73B-B09B67A2F035@microsoft.com...
> Thank You Steve,
>
> I've got tcpview/tdimon from sysinternal and fport from another site to
> check out the process and ports. Tcpview shows that SymmTime.exe is
> associated with host190.216.26.168.maximumasp.com . Symmtime is a world
> clock
> and time synchronisation program that I got running on the pcs here.
>
> I did update the spybot and CA Etrust 7.1.192 and did do a full scan of
> both
> programs but it didn't found anything. Did disable system restore too.
>
> Last time I notice something similiar and I decided to reformat the pc,
> but
> this time, I really do want to know what is bugging it.
>
> I notice that explorer.exe on my pc is using 25MB of memory and the cpu
> column is jumping between 11 and 55 in task manager. This is similiar to
> last
> time. I did check with other xp users in our office and they show about
> 5MB
> of memory usage and cpu is very low (0-2) . Did download the codered and
> mydoom scanner from symantec website but it didn't found anything.
>
> Even right clicking "My Computer" and the resulting window come up very
> slowly, run internet explorer also took sometime to appear. The spybot
> scan
> is the longest that I could remember to do a full scan.
>
> regards,
> lambomadness
>
> "Steven L Umbach" wrote:
>
>> Maximumasp.com appears to be a legitimate website and your netstat
>> results
>> shows that your computer is connected to their website so that may not be
>> the problem.
>>
>> Try using Task Manager or some of the free tools from SysInternals such
>> as
>> Process Explorer, TCPView, and Autoruns to see if you can find any rouge
>> processes running and with Task Manager look for process or processes
>> consuming a lot of memory and/or CPU. It is normal if system idle process
>> shows a lot of CPU use however as that actually indicates available CPU
>> resources.
>>
>> Try boot into safemode to see if performance increases. If it does you
>> may
>> have a startup process bogging the system down which could be malware. If
>> you boot into safe mode with networking be sure that you have a firewall
>> device protecting your computer as doing such will disable any host
>> firewall. I would be sure to do a full scan for viruses being sure to
>> update
>> your antivirus application to the latest definitions from your vendors
>> website and do a full scan with SpyBot using it's latest
>> finitions. ---
>> Steve
>>
>> http://www.sysinternals.com/ --- link to SysInternals.
>>
>>
>> "lambomadness" <lambomadness@discussions.microsoft.com> wrote in message
>> news:065FF73E-9268-4465-86BA-136232CCA3F9@microsoft.com...
>> > Hello all,
>> >
>> > A couple of days a go, something was trying to edit my host file and
>> > spybot
>> > s&d ver 1.4 blocked it. My pc is running very slow ever since. As if it
>> > is
>> > drunk. P4 1.8ghz, 512MB ram , at least 3 gb free hd on both C: and D:
>> > (XP
>> > sp2
>> > with all updates from officeupdate and windowsupdate
>> >
>> > If pc is connected to the network and sometimes I do a netstat, I can
>> > see
>> > it
>> > establish the connection.
>> >
>> > Netstat would show:
>> > host190.216.26.168.maximumasp.com:80 ESTABLISHED
>> >
>> > I then pulled out the network cable and do netstat again, then it is
>> > gone
>> > .
>> > tcp mypc:1087 host190.216.26.168.maximumasp.com:80 CLOSE_WAIT
>> >
>> > Anyone seen this problem before or have any suggestion for me.
>> >
>> > Regards,
>> > lambomadness
>>
>>
>>
- Next message: Alan Edwards: "Re: E-mail says: WON A MICROSOFT PRIZE"
- Previous message: Valery Pryamikov: "Re: Ann: Beta of new version of RunAsAdmin is on Sourceforge."
- In reply to: lambomadness: "Re: host190.216.26.168.maximumasp.com:80 CLOSE_WAIT"
- Next in thread: lambomadness: "Re: host190.216.26.168.maximumasp.com:80 CLOSE_WAIT"
- Reply: lambomadness: "Re: host190.216.26.168.maximumasp.com:80 CLOSE_WAIT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
