|
[x]
Posted via EE Mobile
|
|
| Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again. |
|
|
|
|
|
[x]
The Solution Rating System
|
|
| With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating. - The Grade of the Solution
- The Zone Rank of the Expert Providing the Solution
- The Number of Author and Expert Comments
- The Number of Experts Contributing
- The Feedback of the Community
Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site. If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support. Thank you! |
|
|
|
|
Asked by hdokes in Windows Network Security
I recently had a huge attack of virus's on every windows machine 15 in my facility. The symptoms were mass port scans our to the internet of which I could view with tcpdump in real time. After finally getting a handle on all machines I find my primary workstation sending bursts of info on non conventional ports to the other machines (which are locked down) on the internal network. Further investigation shows that these bursts are tied to the "System idle process" PID. I have never been aware of this process doing anything other than just giving visual feedback to the viewer that the CPU is not being used.
Is anyone aware of a virus that attaches to or replaces the "System Idle Process" file and if so... can you point me to further information regarding what it is, how it may have come in, and how to insure it's total removal?
I have run both virus scans using NOC32 and SuperAntiSpyware and neither have identified any exploit. I am using a program called Process and Port Analyzer which associates the transmitting port with the PID which is clearly showing the "System Idle Process" PID (0) as sending on these unconventional ports. The ports are incrementing in ascending order from the source side as the previous request sits in a wait state due to no response from the destination and keys in on ports 123, 137, 138, and 445 at the destination side.
If this is not a virus... can someone tell me if this is normal activity to go out and interrogate other machines while the CPU is idle?
20091021-EE-VQP-81 - Hierarchy / EE_QW_3_20080625
