Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Tracing PPP trafic

Status
Not open for further replies.
Clairvoyant1332

Clairvoyant1332

Programmer
May 21, 2003
147
US
I have an NT 4.0 box at home that uses a PPP dialup connection. On a fairly regular basis, if the connection is closed I'll see an Auto-Dial attempt pop up and reconnect to my ISP, after which I see some TCP port 80 connections under ipconfig. I've even seen this happen shortly after a reboot before I start up any apps. I've been using SpyBot Search And Destroy to look for spyware but nothing comes up.

Is there any sniffer software out there that will snoop a PPP dialup connection? The ones I've seen only snoop ethernet traffic.

OR... could someone suggest some other methods of finding out what initiating these auto-dial attempts?
 
Sort by date Sort by votes
Is it a workstation or server? What services are running (i.e. DNS, WINS, etc.?)

Alex
 
Upvote 0 Downvote
It's NT 4.0 Workstation. It uses DNS once it dials up, but it's not a DNS server. The only questionable apps loaded that I can think of offhand are ICQ, AIM, and RealPlayer. I'll have to dig around a bit when I get home to see what else is on there.
 
Upvote 0 Downvote
You've found it (or them):

ICQ = automatically logs in
AIM = automatically logs in
RealPlayer = always calls "home" to report it

Set these so they don't run at start up, you may have to REMOVE RealPlayer as that software is nasty about reporting in...

Try installing free ZoneAlarm it will report exactly what software is communicating with the internet. (You can also use "Lock" to prevent ANY communication and see what program reports an error.

Alex
 
Upvote 0 Downvote
I found it! I installed ZoneAlarm and while I was disconnected I found that c:\winnt\system32\msrexe.exe was trying to access the DNS server that I use when I'm dialed in. So apparently it's a process internal to WinNT, now the question is why is it doing this?
 
Upvote 0 Downvote
Msrexe is not a valid Windows file. You are infected with a trojan:

WinTasks Process Library
msrexe - msrexe.exe - Process Information
Process File: msrexe or msrexe.exe
Process Name: Remote Access / Hacking tool / ICQ trojan
Description: Added to the system as a result of an ICQ Trojan that alters Win.ini and System.ini files and generates several. .exe-files with randomly chosen names.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes

Please use Google for "msrexe.exe" as there are many, many variants of this Subseven trojan, and their removal requires special steps depending on the version.
 
Upvote 0 Downvote
Damn! And I thought I was good about my downloading habbits. I should have figured this out this was on my system a long time ago. This is embarrasing....
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Echohh
  • Locked
  • Question
Tracing email IP
Replies
8
Views
58
dtrtel
dtrtel
comp110
  • Locked
  • Question
Tracing IP address( duplicate IPs) 2
Replies
8
Views
85
comp110
comp110
vsatkid
  • Locked
  • Question
Static IP over WAN PPP Link 2
Replies
3
Views
52
vsatkid
vsatkid
Gareth1978
  • Locked
  • Question
Tracing an IP address
Replies
3
Views
44
andrewflagg
andrewflagg
MietekS
  • Locked
  • Question
How to kill a lingering PPP IP address
Replies
1
Views
26
bcastner
bcastner

Part and Inventory Search

Sponsor

Back
Top