dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs: | reply to dandelion
Re: How to find which program is trying to get online?
ahhh so the program trying to get out is multicast? Since I don't use anyway, I'll just block. Thanks for the input!
My NVidia card came with WDM says exclamation on the drive-
wonder if related? |
|
RLD
Its All About Choice.
join:2001-07-05
North Richland Hills, TX
| reply to dandelion
multicast is normal traffic you can block it or ignore it. you can block it by not allowing the ip (224.0.0.1) out; but, it may cause problems with streaming media (music, video, realmedia, wma, etc).
--
R.L.Dempsey
OS/2 Warp & eCS (by Choice)
Mac OS/X & Linux (for FUN)
friggin windoze (by necessity)
|
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
 ·Comcast
| reply to dandelion
Yes-very harmless! Here's the link if interested:
»Team Helix
I don't think that the program trying to "call home" is much to worry about since I have so many safeguards, was just curious, but may be more trouble then it's worth to try to figure it out:), thanks for your help though! Hope your Holidays are good! |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to dandelion
Is FAH the Stanford project described in Google link? If that is it, it sounds pretty harmless to me .. lol. 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs: | reply to dandelion
tried regedit-it couldn't find anything- not ready to remove FAH and since Spybot says no problems, guess I'll just forget it-whatever it is, I'm effectively blocking it, but thanks all for your help!!! |
|
dlritter
join:2000-09-26
Hanford, CA | reply to dandelion
First, try regedit and do a find on the hash signature.
Second, try uninstalling FoldingAtHome and see if the problem goes away.
73 Dave |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
·Comcast
| reply to dandelion
Thanks so much!! Finally got it, here's the fport-if I'm interpreting right it's saying my Earthlink Total Access trying to get online??? But that HAS permission from ZA to get online, so I may not be interpreting right-what do you think??
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
»www.foundstone.com
Pid Process Port Proto Path
1128 tcpsvcs -> 7 TCP C:\WINDOWS\System32\tcpsvcs.exe
1128 tcpsvcs -> 9 TCP C:\WINDOWS\System32\tcpsvcs.exe
1128 tcpsvcs -> 13 TCP C:\WINDOWS\System32\tcpsvcs.exe
1128 tcpsvcs -> 17 TCP C:\WINDOWS\System32\tcpsvcs.exe
1128 tcpsvcs -> 19 TCP C:\WINDOWS\System32\tcpsvcs.exe
596 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 445 TCP
632 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
4 System -> 1026 TCP
632 svchost -> 3002 TCP C:\WINDOWS\System32\svchost.exe
632 svchost -> 3003 TCP C:\WINDOWS\System32\svchost.exe
2036 winFAH -> 3167 TCP C:\Program Files\Accessories\winFAH.exe
2036 winFAH -> 3332 TCP C:\Program Files\Accessories\winFAH.exe
2036 winFAH -> 3443 TCP C:\Program Files\Accessories\winFAH.exe
2036 winFAH -> 3602 TCP C:\Program Files\Accessories\winFAH.exe
3192 TaskPanl -> 3648 TCP C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
2036 winFAH -> 3659 TCP C:\Program Files\Accessories\winFAH.exe
2036 winFAH -> 3808 TCP C:\Program Files\Accessories\winFAH.exe
2036 winFAH -> 4378 TCP C:\Program Files\Accessories\winFAH.exe
2036 winFAH -> 4454 TCP C:\Program Files\Accessories\winFAH.exe
632 svchost -> 4707 TCP C:\WINDOWS\System32\svchost.exe
632 svchost -> 4714 TCP C:\WINDOWS\System32\svchost.exe
2036 winFAH -> 4734 TCP C:\Program Files\Accessories\winFAH.exe
2036 winFAH -> 4908 TCP C:\Program Files\Accessories\winFAH.exe
796 -> 5000 TCP
3192 TaskPanl -> 8097 TCP C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
1128 tcpsvcs -> 7 UDP C:\WINDOWS\System32\tcpsvcs.exe
1128 tcpsvcs -> 9 UDP C:\WINDOWS\System32\tcpsvcs.exe
1128 tcpsvcs -> 13 UDP C:\WINDOWS\System32\tcpsvcs.exe
1128 tcpsvcs -> 17 UDP C:\WINDOWS\System32\tcpsvcs.exe
1128 tcpsvcs -> 19 UDP C:\WINDOWS\System32\tcpsvcs.exe
2036 winFAH -> 123 UDP C:\Program Files\Accessories\winFAH.exe
596 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe
4 System -> 500 UDP
3192 TaskPanl -> 1900 UDP C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
2036 winFAH -> 1900 UDP C:\Program Files\Accessories\winFAH.exe
632 svchost -> 3011 UDP C:\WINDOWS\System32\svchost.exe
4 System -> 3039 UDP
2036 winFAH -> 3040 UDP C:\Program Files\Accessories\winFAH.exe
2036 winFAH -> 4300 UDP C:\Program Files\Accessories\winFAH.exe
this is one of the alerts I get from ZA:
a73bc66a95cf4f7b597fc8975778a889
The MD5 hash, or number, that
uniquely identifies the
executable.
Date Modified
May-11-2003 08:12:10 PM The date
when explorer.exe was most
recently modified.
Connect Type
Access This value can be either
Access, which is an Internet
connection attempt by Windows
Explorer or Server, which
indicates that Windows Explorer
is waiting for connections coming
in from the Internet.
Remote
Port 1900 The port Windows
Explorer is using on the remote
computer. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
3 edits | reply to dandelion
said by dandelion  :
I don't understand creating batch file sorry, is there another way to slow it down so I can see? or maybe another program that does same but viewable?
1. Open Notepad
2. Enter "CD {Fport_Path}" {without quotes}
3. Enter "fport > fport.txt" {without quotes}
4. File, Save As: "launch.bat" {with quotes}
In Step 4; File, Save As: -- choose "All files" and save as "launch.bat" {with quotes} -- the quotes tell Notepad *NOT* to append a .txt or any other extension -- the saved file must have a .bat extension.
In Step 2, {Fport_Path} is the specific folder {complete path} you put the fport program in. The "CD" is a "change directory" command, that tells it to go to that folder where fport is located.
If you save "launch.bat" to your Windows directory, it will be accessible at all times by typing "launch" from the Command Prompt. This is because Windows directory is part of the environment "path" that is always searched first for executable programs. Hope that helps.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs: 
| reply to dandelion
Use Notepad to create the batch file (or just enter the first line of command in a command window as
fport > fport.txt
What that says is to start the program fport.exe and send all output to a text file named fport.txt
If you create that with notepad and save it as launch.bat then it saves you having to retype the fport > fport.txt command each time, just open a command window and go to that folder and type launch. If you use two > symbols, as fport >> fport.txt, then the "log" for each execution will be appended to the fport.txt file.
Then you can use Notepad to open up the fport.txt file to see what is in it.
--
Good judgment comes from experience, and experience comes from bad judgment. Barry LePatner |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs: | reply to dandelion
I don't understand creating batch file sorry, is there another way to slow it down so I can see? or maybe another program that does same but viewable? |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
·Comcast
1 edit | reply to dandelion
You can create a batch file and place it in the same folder you put Fport and you can have it create a txt file for viewing. I created a file named launch.bat with a simple command found below.
LOL Sorry-not too computer literate-please take me step by step on creating batch file. Are you saying go to notebook call a file launch.bat and how to put in command? |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
·Comcast
| reply to dandelion
said by dandelion :
Downloaded program Fport, ran it and it flips by so quick can't see anything. Couldn't find help in the readme section-is there a way to get it to stay so I can see it?
You can create a batch file and place it in the same folder you put Fport and you can have it create a txt file for viewing. I created a file named launch.bat with a simple command found below.
fport > fport.txt
notepad.exe fport.txt
--
"It's 5 O'clock Somewhere" |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs: | reply to dandelion
I have McAfee-but not impressed with it-is up in March and seriously considering Norton-sounds nice! |
|
EmilioG
Whats This?
Premium
join:2000-09-19
New York, NY
|  reply to dandelion
Do you have Adobe Reader set to automatically check for updates? I have Norton Internet Security and it has a Program Scan Option that lists all apps that try to access the Net and I can then set individual custom permissions for each. This is a quick and simple way to see whats trying to gain access. I'm sure ZA has the same, yes?
--
One operating system to rule them all. |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
·Comcast
2 edits | reply to dandelion
The program trying to connect is a "program from windows explorer" with MDHash5 a73bc66a95cf4f7b597fc8975778a889
I figure may be adobe reader??? or possible media? just would like to find out for sure.When I search for the DNS for the outgoing I get this:
NetName:
MCAST-NET
NetHandle:
NET-224-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: FLAG.EP.NET
NameServer: STRUL.STUPI.SE
NameServer: NS.ISI.EDU
NameServer: NIC.NEAR.NET
Comment:
This block is reserved for
special purposes.
Comment:
Please see RFC 3171 for
additional information.
Comment:
RegDate: 1991-05-22
Updated: 2002-09-16
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet
Corporation for Assigned Names
and Number
OrgAbusePhone:
+1-310-301-5820
OrgAbuseEmail:
abuse@iana.org
OrgTechHandle:
IANA-IP-ARIN
OrgTechName:
Internet Corporation for Assigned
Names and Number
OrgTechPhone:
+1-310-301-5820
OrgTechEmail:
abuse@iana.org
(Search for
MCAST-NET turned this up)
[SpamCop-Geeks] Re: MCAST.net and
Interland.net (longish, maybe OT)
Jonathan Rynd
spamcop-geeks@news.spamcop.net
Fri, 25 Oct 2002 14:22:38
-0400
Previous message:
[SpamCop-Geeks] MCAST.net and
Interland.net (longish, maybe OT)
Next message: [SpamCop-Geeks] Re:
MCAST.net and Interland.net
(longish, maybe OT)
Messages
sorted by: [ date ] [ thread ] [
subject ] [ author ]
On Fri, 25 Oct
2002 13:40:39 -0400, "Sir
Lurksalot II"
wrote:
>These happened right
away at logon:
>23/Oct/2002
20:37:58 Outgoing ICMP
permitted; Out ICMP
[10] Router
Solicitation;
localhost->ALL-ROUTERS.MCAST.NET
>[224.0.0.2]; Owner: Tcpip Kernel
Driver
Your computer is set up
to accept "IP Multicast".(not
sure what this is?) This is a
setting in
your OS and does not
depend on whether you view
streaming media or
not.
Mcast.net is not a real domain;
it is the fictitious domain set
up for
the IP addresses that are
reserved for IP multicast.
Nothing to worry about.
>23/Oct/2002 20:46:58 Outgoing
ICMP permitted; Out ICMP [8]
>Echo Request;
localhost->64.224.86.159; Owner:
Tcpip Kernel
Driver
This means
that some software on your
machine is pinging
64.224.86.159.
My guess is that it's some
software trying to tell if
you
have an active Internet
connection or not, probably so it
can
phone home and check for
updates.
>Oh, and to the best of
my ability, I am virus/worm
free,
>adaware free, don't use
chats, do use ICQ (but it's
Removed
>for the duration until,
I settle this), and other
newsgroups I
>use are strictly
forced-text so I doubt I picked
anything up
>online.
It's still
possible that some program on
your machine is making the
network connections without
asking you. But the only way to
be sure is
to reinstall
Windows..."
Downloaded program Fport, ran it and it flips by so quick can't see anything. Couldn't find help in the readme section-is there a way to get it to stay so I can see it? |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to dandelion
Re: How to find which program is trying to get onl
Download fport from »www.foundstone.com. From the readme.txt
fport v2.0
fport supports Windows NT4, Windows 2000 and Windows XP
fport reports all open TCP/IP and UDP ports and maps them to the owning application.
This is the same information you would see using the 'netstat -an' command, but it also
maps those ports to running processes with the PID, process name and path. Fport can be
used to quickly identify unknown open ports and their associated applications.
--
... and a Happy and Prosperous 2004 |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to dandelion
Re: How to find which program is trying to get online?
You mean, ZA doesn't give the program a name and path? There have been problems in the past with ZA claiming a no-name app was trying to get out to the Net.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
·Comcast
| Excuse me if this has been asked-couldn't see any info in FAQ and would appreciate the link if it is: How can I tell which program is trying to get online through my windows explorer when I have a MD hash (not sure of that spelling)number and a long list of numbers? It comes up in my ZA about every day or so and I tell it no, so far no ill effects that are obvious. Have run McAfee,Spybot,etc. so I assume an "innocent" program but am curious and would like to figure this out. |
|
