Hey. I recently looked through active connections on one of my computers and one connection looked suspicious tcp to "78.131.193.150:64180" (was from "system" with a PID that could not be found by taskmanager or taskkill), so i did a lookup and found out that it was some polish site. Just for the ____ of it i checked my other computers (got 3 running most of the time) too (using netstat -an/-bn) and to my surprise they where also connected to that ip and port. So i asked some friends and they did not have a connection going out to that ip. Basically im running: 1x Windows 7 (x64) 2x Windows XP (x86) 2 Different Antiviruses (Avast and Norton on one on each of the XP's; Windows 7 just installed so i shouldn't have any malware on that) And only program in common is 7zip (even webbrowsers are different(1x Opera, 2x firefox). I have not recieved a single virus in over 2 years and is NOT the kind of person that clicks a link when i dont know where it comes from. Netstat prints out "TCP 192.168.1.3:52138 78.131.193.150:64180 FIN_WAIT_1" and "TCP 192.168.1.3:52138 78.131.193.150:64180 FIN_WAIT_1 3696/3024 [System]" for -an and -bn respectively. What im wondering is: First of all does anyone know if the ip is a RAT/zombie net server that im connecting to / am part of? Second of all; if it is acctually malware: is there a common exploit in both XP 32-bit and windows 7 64-bit that could possibly have infected them third of all: How can i find out what program makes the connection when apperently "The process can not be found" and last: what does "FIN_WAIT_1" mean?

I dunno what it is, but a DNS lookup shows 7-zip.org out of RU, not Poland.- John

HellBinder,I think the first step is find out witch application on your computer is connecting to 78.131.193.150:64180.So, just try some tools to get more information on what is currently happening on your computer.TCPVIEW.EXE (http://live.sysinternals.com/tcpview.exe)This tool is actualy the grapichal version of a netstat.-> try to use this tool toverify witch process is connecting to the 78.131.193.150:64180Microsoft Network Monitor (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f)This is the microsoft sniffer to see witch data travels form your pc to the suspisous host.-> Use this to see witch data is send to this 78.131.193.150 host.-> Try to find out witch protocol is used to communicate to the suspisous host. (Mostly the IRC protocol is used.)Root Kit Revealer (http://live.sysinternals.com/RootkitRevealer.exe)use this tool to verify if the process is cloaking it self for the windows API.Autoruns (http://live.sysinternals.com/autoruns.exe)And you can use tool to view if there are no suspisches files who hook in some windows components.More background information on REM can you find in this wonderfull presentation.https://isc.sans.org/presentations/cookie.pdfTry to use the tools and come up with some more information. :)If you have more questions feel free to ask.Kind RegardsDFTIM me

daft, thanks for great reply; it was VERY helpful. First of all: initially TPCVIEW showed ~50 connections, that all seemed to disapear and after about 30 second only 17 remained (after restart it only showed those 17 too). Coonnection to that server hasn't been there all day from any of my computers (no idea why is itsn't /was there in the first place); but the other connections that went down seem to also have fixed a minor latency problem i have had (had ~400 ms over a direct tcp connection, and now have a steady ~17 ms to same server, and others). Root kit revealer; revealed nothing (a few things, but nothing suspicious) and the connection was never sent anything through (used wireshark to watch it when i first found it; not Microsoft Network Monitor ), but the fact that it was established made me curious (could also connect through telnet and transmit, but never got reply from server; and it didn't terminate connection either). Other than that i dont have a pdf viewer on any of my computers (feel they are too unsafe), so could not read the pdf; but thanks anyway...and +1 vote =). What is still bugging me is why 3 computers would connect to same ip at the same time in the first place, but since they aren't up anymore i guess i wont find out.

but the fact that it was established made me curious (could also connect through telnet and transmit, but never got reply from server; and it didn't terminate connection either). A cool test that you can do is the following:Set up a machine in your network with the ip adress of the suspischous host. Then download netcat for windows and execute it whit the following switches.nc -l -p 64180Then reboot one of the infected machines and on the netcat machine you see the commands, that the infected machine sends. The only thing you need to do then is indentify witch protocol the infected machine uses. And talk back :)( If you don't know how to do this check the RFC of the protocol) Other than that i dont have a pdf viewer on any of my computers (feel they are too unsafe), so could not read the pdf; but thanks anyway...and +1 vote =). 1. Try to use the following tool the pdf is realy worth reading.http://www.adobe.com/products/acrobat/access_onlinetools.html2. True, there are some vulnerbilties in adobe reader.But if you download the latest release 9.1 and you disable the javascript functionality. You are pretty safe.3. Thx for the vote, i realy appreciate it:D What is still bugging me is why 3 computers would connect to same ip at the same time in the first place, but since they aren't up anymore i guess i wont find out. Try my first answerKind RegardsDFTIM me