We all know about the Virus, Worms, Trojans, Malwares, Spywares etc. and in one way or other we all have had our machines infected once with these threats. We have various products in market to fight against these threats, but if we don’t have a general knowledge about these devils, then it could leave us high and dry for that moment. And obviously we don’t want to spend much time/efforts/money fighting against these threats, as we have other important works to do. That I guess you will say, if I don’t share few concise steps that I did when I found myself as a victim of these unwanted guests on my machine.
C:\>netstat –oa | find /I “Established”
I’m a very stingy person and I don’t want any Spywares or Spybots to waste any bytes of my broadband connection. After all I’m not paying for all the crap they are doing.
So, I tried the above command to see what is coming and going through the opened ports. And I found a huge no. of unwanted TCP/UDP established connections through SMTP port 25. Hmm!! they are passing on the important information from my cookies. (My credit card no.?) ;-)
To know which process is responsible, I noted down the PIDs that was known through the Netstat command and searched those through Tasklist as below:
C:\>tasklist /FI “PID eq 672”
Here 672 is the PID value that I retrieved through the Netstat command earlier.
The worst thing is that those are running by the windows legitimate Services.exe, (stopping this process will just lead to shutdown, no help), closing the connection through TCPView software didn’t help either, as new connections automatically establish of there own.
Note: You can also check through the services (Run->Services.msc) to see anything that surprise you. I bet you won’t find any.
In simple word, Services.exe is injected with a Spybot. So, my next step should move towards Windows Firewall to check which exceptions are allowed. Nothing surprised again. All is good.
Time and bytes were running out in Seconds and MiBs. Therefore, I quickly blocked the opened ports in my TCP/IP connection properties.
(Network connection->Right click the active connection->Select “Internet Protocol TCP/IP”->Properties->Click “Advanced” button->”Options” tab->Select TCP/IP filtering->Properties->Permit only->Add the port(s) that you want to block.)
Then I must check the registry (Run->Regedit) to find out the entries that Services.exe is picking up during startup. (HKEY_LOCAL_MACHINE->SYSTEMS->Services)
Oh god, so many entries, that’s chaotic. But you always have options. I downloaded RegistryBooster 2.0 and quickly repaired my registry to get rid of the problem for a time being.
I had few Anti Virus, Anti Spyware and more importantly Anti Rootkit, but those were all in vain. I realized I should have Internet Security with Firewall inbuilt to fight against these threats. My choices are Zone Alarm and AVG Internet Security. It’s working !!!!
