Tracking Down A Sender. Virus? Trojan?

[Jim]

Hi All.
I've got a server sending packets to solidirc.com
every few seconds. It sends a PING and receives a PONG.
There seems to be one or two other packets that get sent
also. Looks like my server is trying to logon to a chat
and gets rejected every time.

It shows up in netstat as: server226.xantronmail.de:6667 ESTABLISHED

I think a program has left this to keep a door open
for future use. I don't have much more info.

Can someone tell me how I can track down this program
in Server 2000? I've been watching the task manager
processes, but haven't seen anything that matches yet.

Norton virus scans and Ad-Aware don't come up with it.

Thanks for any help.

Jim

 

[Steven Umbach]

That port is involved with a lot of activity as shown in the link below.

http://isc.incidents.org/port_details.html?port=6667

I would try to use TCPView to see if it will map to the folder/application
causing that activity. You can right click the process for more info that may
also tell the software publisher. If you find it, depending on what it is, you
can look to see if you can remove it in add/remove programs, try a trojan
scanner, or manually remove it. You might also try SpyBot Search and Destroy
which also has an advanced mode that contains tools to map processes and show
startup programs that you can selectively disable. If it appears to be an
unexplained malicious program you will have to decide if you want to repair or
do a total reinstall which is the preferred method after you take further steps
to protect your network .A firewall that has a default block all outbound rule
and then add required access ports/applications can help protect your network
better by blocking access to backdoors on unauthorized ports. --- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://swatit.org/download.html

 

[Jim]

Thanks for the info.
I'll try all of your recommendations.
Except maybe not a total reinstall. Yikes!
Thanks again.

Jim