Final Post

No – I’m not dead yet!!

This is a final post at Tigerstail.wordpress.com because I am tired of seeking knowledge and bitching about that which is. It is time to use my skills to develope the solutions to all of the problems I have discovered.

Join Me at jimmicap.wordpress.com

Vista Tasklist – Cool Tool!

Alright, I finally found something decent about Vista but it actually is in Vista DOS which evolved from NT DOS and XP Pro DOS. It’s a tool called Tasklist and it’s used to get a listing of all processes by PID and which services are running in these Processes. By using various switches, you can find out what modules and executables are associated with a PID and learn about them. Knowledge leads to defense or minimally it will allow you to identify and disable your intruder.

My very First Tasklist command was:

C:\>Tasklist /svc

In my last post I found that Level 3 was connected to two unknown processes, 2060 and 988. Now I’m still not proficient with this command, but the output shows I have reason to be concerned.

Image Name PID Services
========================= ======== ============================================
svchost.exe 988 AeLookupSvc, Appinfo, BITS, Browser, gpsvc,
IKEEXT, iphlpsvc, LanmanServer, MMCSS,
ProfSvc, RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
winss.exe 2060 winss

By searching for winss on Google you find that this is part of Windows One Care but has been related to malware problems and that svchost.exe is a generic host for Windows Modules that has also been suspect in malware. Still, you cannot dismantle them without hurting your operating system so you have to find the service or even specific module that is connecting to the net without your permission.

The next command I tried was

C:\>tasklist /m >> module.txt

It’s necessary to send this to a text file because the output is bigger than the DOS screen allows. The output gives you all the modules for each PID which is informitive but not necessarily useful. What would be ideal is if the IP were related to the PID which connected to a service and then connected to the modules within that service. This is what netstat -bv did and it allowed me to isolate and eliminate problems like with ccproxy.exe.

I’m sure that Tasklist is the solution, but it will take me awhile to figure it out unless somebody gives me the answer. I suspect whatever this intruder was standard malware and not Military Strength Malware. I ran all my malware eliminators and when I awoke I only had Google Talk knocking on my door.

Vista – Beyond Netstat!

Where do you find your lost car keys? You find them in the same place every time and the answer is easy.

You find them the last place you look.

When it came to XP I never got past netstat to find out who’s invaiding my privacy because it wasn’t necessary. Now there are some interesting things about DOS that I forgot but since analyzing Vista is a whole new ballgame, I thought I better refersh myself. The command of the day was netstat -ano with a few modifiers to give me a hand. After all this is still a computer and it should be able to follow a few simple commands. Check the following:

C:\>netstat -ano 10 >> fred.txt

Now this command is fairly straight forward when you learn DOS. The netstat -ano gives a listing of the protocal, the local port, the foriegn IP and port, the state and the Process ID. The 10 means the command for that information is repeated every 10 secods and since you really can’t do much with DOS output and the retained DOS data is finite, the >> fred.txt command sends it to a text file named fred and adds the new information being generated every 10 seconds to the bottom of the file.

Because of the slow speed of Vista and all the Simon Says rules, I set up DOS with the above command the night before and a second DOS window with “notepad fred.txt”. Since they were set up the night before, all I have to do when the machine comes out of hibernation is to press enter on the netstat command and about 2 minutes later press enter on the other DOS window to see wat I have captured in notepad.

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 748
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 432
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1148
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 516
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 988
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 500
TCP 12.197.60.34:139 0.0.0.0:0 LISTENING 4
TCP 12.197.60.34:53044 72.14.203.101:80 CLOSE_WAIT 1028
TCP 12.197.60.34:53045 209.85.163.125:5222 ESTABLISHED 1028
TCP 12.197.60.34:53046 64.233.163.189:80 TIME_WAIT 0
TCP 12.197.60.34:53047 207.46.235.29:443 ESTABLISHED 2060
TCP 12.197.60.34:53049 8.12.213.124:80 ESTABLISHED 2060
TCP 12.197.60.34:53050 8.12.213.124:80 ESTABLISHED 988

The first three external IP’s belong to Google Talk. The third Google connection drops out after 2 minutes and the first 2 stay connected all day. The forth IP is Microsoft and the last IP using two different processes belongs to Level 3.

Now Level 3 is an untrusted, uninvited quest but the connection only lasts for less than a minute. By the time I check the task manage and get through “Simon Says” and “processes from all users“, it’s too late to find out who is doing what to me and I have yet to discover a meaningful list of subprocesses for each PID that I might block to block the intruder. Blocking the IP is a waste of time because there are billions and the task of invading my privacy can be shifted to another server. The only perminant way is to identify and kill the process.

Tomorrow, I’ll discuss a new DOS command, at least it’s new to me and does not exist in Windows XP Dos.

But the only thing for sure right now is that I have an univited intruder invading my privacy which has made it past Windows Defender and I dont have a clue on how to stop it.