Hi all,

I keep having movement on my Harddisk so i looked at it woth PE
It seems that 219.145.179.103 is the target in China lokal port 139 and external port is 43.310

It keeps goig on and off but cannot make a connection to the outside.

It's only visible in the TCP and REMOTE tab's

Does anyone know how to get rid of this software that does this?
proces id is 4 (PID) so it's serious I guess.

How can I find out wich prg is doing this?

Frans

BTW, here's my hijackthis logfile.

What's is the problem?

Logfile of HijackThis v1.97.7
Scan saved at 1:14:43, on 25-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\ftp\security\regprot\regprot\regprot.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Weather Watcher\ww.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Norman\NPF\NPFMSG.EXE
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\ProcessGuard\procguard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Norman\Nvc\BIN\Zanda.exe
C:\Program Files\United Devices\UD.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\Program Files\United Devices\ud_7174683.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
C:\Program Files\Port Explorer\PortExplorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\TDS3\Ext.Plug\nbsrvem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro2004.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fraha's own explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 194.109.6.83
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy.xs4all.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://host133.ipowerweb.com/vdeck;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Total Uninstall] C:\Program Files\Total Uninstall\Tun.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CSSplash] C:\Program Files\CryptoSuite\cs_splash.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [RegProt] h:\ftp\security\regprot\regprot\regprot.exe /start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NWEReboot] C:\Program Files\Ahead\Nero\Uninstall\Unnero.exe /REMOVE="C:\DOCUME~1\FRANSH~1\LOCALS~1\Temp\RarSFX2"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CamWizard] C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TDS3] C:\TDS3\TDS-3.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [SecureItPro] C:\Program Files\SecureIt Pro\secureitpro470p.exe /LOADSILENT
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Startup: Process Guard.lnk = C:\ProcessGuard\procguard.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: StickIt Note Launcher.lnk = C:\StickIt\StickIt Launcher.exe
O4 - Startup: StickIt UDP Server.lnk = C:\StickIt\SIserver.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ANWB (HKLM)
O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: [url]www.anwb.nl[/url]
O15 - Trusted Zone: [url]http://www.diamond.com.au[/url]
O15 - Trusted Zone: [url]www.diamondcs.com.au[/url]
O15 - Trusted Zone: [url]http://www.devolkskrant.nl[/url]
O15 - Trusted Zone: [url]www.euro2004.com[/url]
O15 - Trusted Zone: [url]http://groups.msn.com[/url]
O15 - Trusted Zone: [url]www.nos.nl[/url]
O15 - Trusted Zone: [url]http://www.nos.nl[/url]
O15 - Trusted Zone: [url]http://www.nosnieuws.nl[/url]
O15 - Trusted Zone: europe.real.com
O15 - Trusted Zone: nl.sitestat.com
O15 - Trusted Zone: [url]www.tspeedtest.nl[/url]
O15 - Trusted Zone: [url]http://home.wanadoo.nl[/url]
O16 - DPF: HushEncryptionEngine - [url]https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab[/url]
O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url]
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - [url]http://office.microsoft.com/templates/ieawsdc.cab[/url]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url]
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - [url]http://office.microsoft.com/officeupdate/content/opuc.cab[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/sikes/nl/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {54BA1E8F-818D-407F-949D-BAE1692C5C18} (Attribute Class) - [url]http://gemal.dk/browserspy/capicom.dll[/url]
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - [url]http://www.xblock.com/download/xclean_micro.exe[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - [url]http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - [url]http://www.pcpitstop.com/mhLbl.cab[/url]
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - [url]http://www.friendster.com/import/emailimport.cab[/url]
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - [url]http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38105.6169675926[/url]
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - [url]http://www.microsoft.com/security/controls/SassCln.CAB[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [url]http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444554340000} - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - [url]http://fraha.instantlogic.com/XUpload.ocx[/url]
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} - [url]http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url]
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - [url]http://www.housecall.nl/housecall/xscan4.cab[/url]

Regards Frans

Hi,

Your log looks clean enough, its hard to tell what is going on. Port 139 would suggest perhaps you were portscanned by that IP on the NetBIOS ports, which your firewall should be blocking ?

I'd check fileshares and users to make sure they are all correct and have strong passwords. Then disable NetBIOS unless you absolutely NEED it for your Local Network. Finally, ensure your firewall rules block NetBIOS ports 137-139 to the internet..

Suppose it is on a netstat (SYSTEM) socket, and not related to an application on there?
As you blocked it, there will not be any packets to spy on (not possible on netstat sockets either), maybe set Port Listen on 139 via your TDS but since you blocked it i'm not expecting any results.
Resolving the IP doesn't give any clues either?
Does your Log File or the firewall log show anything? The Port Explorer log always shows which application is involved for the activity.

Hi Gavin and thanks for your reply.

The main worry is that there is constant activity on my harddisk.
When I look with port explorer there is a constant closing and opening of sockets (?) to that url.
As of today there is a connection shown in the Established tab!

All i can do is Kill socket but it's always back again after a while. mostly within the minute.

Is there a way to find out wich program is doing this?

Frans

-{ Quote: "The main worry is that there is constant activity on my harddisk." }-
To monitor hard drive activity download FileMon from www.sysinternals.com, this will give you a clear indication as to which process is actually behind the disk activity.

? This diskmon prg gives me constant writing of data to the HD but I cannot find any info on wich program does this.
Did I miss something?

Frans

Filemon, not Diskmon ... :)

http://www.sysinternals.com/ntw2k/source/filemon.shtml

Ok, ok, it's still eatly here! ;-)

After I downloaded this wonderfull program all activity to china and above mentioned IP address stopped.

I get the suspicion it has something to do with UD.com www.grid.org but This should be a first. I never noticed any activity to where ever from this program.

It could also be because I perminently closed ports 137-139 not sure yet.

I'm off to the user forum on www.grid.org to see if this could have been the problem.

I'll be back!

Thanks all!
Frans

UD should not have a constant connection to them: they should only upload a working packet and you send it back when ready, in the meantime you should not be connected to them all time.
I thought of those systems they would only use your spare CPU when you did not need it yourself. I ran several of their projects, but my system's performance went really bad with that, and using WinTasks i saw what really happened: it was as if the UD got preference over all resources / CPU and i was stumbling and stuttering to get my work done, RAM and CPU always at 100%.
So i closed UD, tried again several times, but since stopped it completely with great relief for all my system.
I don't want to be negative about the i think very useful projects, but on older /smaller /slower systems with too few resources it's not really advisable.
So if you had told you run UD we could have told you this part.
I do know several people with large heavy systems with all space who hardly notice anything of UD and Seti running at a time, at times several packets at a time (probably multi-user on one system) and they hardly notice anything at all. And they don't get to that 100% they told me.

So the 100% CPU / HD activity could be explained with that part.
But the constant connection to the Chinese address seems rather much! Unless your system is so superfast you're constantly sending on and forth packeches your system worked on or your UD project would be cone online!

Port Explorer should be able to throttle bandwith on those packets btw, and UD should show up with it's application icon in the list!
Honestly said i don't remember on which port it worked! Maybe something came with it which should not be there?
Did you scan the UD exe file another time and check for possible modifications?

It looks under control now. Have a disussion at ud.com about this.

I think i need to close down this progam too! Shame It was and is a good course...

Frans

Long ago when i still was running it i asked their support but never got a reply so after several times closing it and starting it after a few days and seeing the differences each time i decided to stop it completely.
Seti was less agressive on my CPU though, but this UD could use some more user's system friendly re-programming.
Close or kill it via the running process list in TDS or maybe throttling it's bandwidth via Port explorer could help, or start it manually when you go to sleep and not need your system while you are off line, whatever.......

WHOIS results for 219.145.179.103
Generated by www.DNSstuff.com
Country: [APNIC Unlisted]

ARIN says that this IP belongs to APNIC; I'm looking it up there.


Using cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 219.144.0.0 - 219.145.255.255
netname: CHINANET-SN
descr: CHINANET shanxi(SN) province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: XC10-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-SHAANXI
changed: ***********@ns.chinanet.cn.net 20020702
status: ALLOCATED PORTABLE
source: APNIC

person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-58501144
e-mail: ***********@ns.chinanet.cn.net
e-mail: **********@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: ***********@ns.chinanet.cn.net 20021016
remarks: hostmaster is not for spam complaint,please send spam complaint to**********@ns.chinanet.cn.net
source: APNIC

person: Xianghong Cao
address: Shaanxi province data communication Bureau
address: 8# guangde Road west development zone
address: Xi'an city, Shanxi province 710075
address: CN
phone: +8629-837-1049
fax-no: +8629-837-1049
e-mail: ******@PUBLIC.XA.SN.CN
nic-hdl: XC10-AP
mnt-by: MAINT-CHINANET-SHAANXI
changed: ******@PUBLIC.XA.SN.CN 20011203
source: APNIC



[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.



--------------------------------------------------------------------------------

(C) Copyright 2000-2004 R. Scott Perry

Funny ----- the NetGeo location: ( new dns stuff expert site: http://www.dnsstuff.com/pages/expert.htm )

VERSION=1.0

TARGET: 219.145.179.103
NAME: APNIC-AP
NUMBER: 219.0.0.0 - 219.255.255.255
CITY: MILTON
STATE: NEW SOUTH WALES (state)
COUNTRY: AU
LAT: -35.32
LONG: 150.40
LAT_LONG_GRAN: City
LAST_UPDATED:
NIC: APNIC
LOOKUP_TYPE: Block Allocation
RATING:
DOMAIN_GUESS: apnic.net
STATUS: OK

-{ Quote: "Funny ----- the NetGeo location:

VERSION=1.0

TARGET: 219.145.179.103
NAME: APNIC5
NUMBER: 219.0.0.0 - 219.255.255.255
CITY: MILTON
STATE:
COUNTRY: AU
LAT: -35.32
LONG: 150.40
LAT_LONG_GRAN: City
LAST_UPDATED:
NIC: ARIN
LOOKUP_TYPE: Block Allocation
RATING:
DOMAIN_GUESS:
STATUS: OK" }-


Funny, why is the country not China? The result is wrong i think.

Using Proxies?

No, no proxies in use here!


Frans

Not you, the China IP. But of course it can also be an AU based domain registrered on Chinanet; sound rather logical or such a thing. Only little different as China was in your Country-code, not AU.
Did the activity come back in the meantime, and did you shut down occasionally the UD to see if it could be related?

It really said China in PE.

Perhaps the problem is no problem at all!

Could it be that the net-bus emulator does things like this?
Only now I noticed the last columns in PE's 'established' tab. There are never any numbers there, so i guess the alarm is 'loos' ?

Still seeing 'connections' but now from BR (Brazil) and other, not so great countries (as far as relay's are concerned)

If so, I'm sorry for the stirr... :-X

Frans

(for the non-dutchies, "loos alarm" has nothing to do with loo's although in fact it has as it means false alarm which we rather flush)

I'm not sure Frans, anything could have been the matter, maybe another infection, hack, intrusion, stealing your bandwidth, using your system as a proxy, anything. Should be really imperative to check all your logs, updat all your scanners and in this case a daily full system scan with all options checked, an extra online scan , grc.com shields up, at www.wilders.org try all available online tests, as it looks like a backdoor installed. No rootkits detected? ProcessGuard working fine?
A router installed?
Maybe you can post the AutoStartViewer log, or if that is too private send it to support@diamondcs.com.au as it shows more then the HJT log.
euhmmm you reformatted since the other log? Post a new one please, as i simply don't trust what's happening. And close all kinds of distributed networks for a few days, seti, UD, kazaa, all messengers, etc etc. Check the msconfig for all startups, everything.

Yes, sorry about the Dutch word. could not find an English word for that! ;-)

Router is and has always been installed. It's a Draytek Vigor 2200E. The one with the cables! Everything is wired here!

complete scan done yesterday and almost every day. Only one problem detected and unremovable is a piece of software to remote ADMIN.
This software never worked for me but I cannot get rid of it. File locked somehow.
Strange this did not show up in mij HJ log!

I'm doing a tds scan now so I can tell you more about this problem! Perhaps this is the problem, never know.
Not likeley btw, the firewall is on for this prg. no chance that gets to the internet!

I even forgot the name of that prg. will be back later with more info on this

Frans

What can you tell about the remote admin? location, which program it is, etc; how did it come back after a complete reformat?

This is my first post at Wilders. 3 Port Explorers are installed at home. What an excellent eye opening software! A few remarks on this thread.

1. What puzzles me with the initial post on this thread is that Port Explorer should have detected the name AND path of the program that connects to China. I don't think this information has been given here yet.

2. This IP -- 219.145.179.103 -- should be resolved at the source since Port Explorer cannot resolve it. Source is http://www.apnic.net/ for Asia. There are 4 regional Internet address authorities for the world, of which APNIC is for Asia. When these regional authorities allocate IP addresses, they require disclosure of information such as phone numbers, persons in charge, etc., which brings me to the next point.

3. The e-mail addresses that were hidden at the other source are actually legible at APNIC:
hostmaster@ns.chinanet.cn.net
anti-spam@ns.chinanet.cn.net
IPADM@PUBLIC.XA.SN.CN (contact Xianghong Cao).

4. After I started using the 4-port DSL Linksys router with firmware version 1.37 in the year 2000, ZoneAlarm intercepted no intrusion attempt for a while. This was due to the masking effect of the router. But gradually, ZA started to pick up attempts (which means I ought to upgrade the router firmware). Interestingly, those attempts have been from rather sophisticated places, mostly some TELECOMs and university computer science departments. So some people know how to scan through the 1.37 Linksys router. Those telecoms have been mostly from Italy, France, South Korea and China.... which leads me to the final point.

5. Port Explorer could only identify that 219.145.179.103 was from China but could not provide more details. Since there are sophisticated people all over the world, including hackers and thieves, I suggest that the otherwise excellent PE be upgraded to resolve IP addresses from all over the world.

Hi there, and welcome!
What am i missing? 219.145.179.103 resolves/ whois-es to Chinanet with Port Explorer?
If you let it search automated, or you can click the apnic net if you like.
What do you see more then Chinanet? except for the node location i found...

-{ Quote: "What can you tell about the remote admin? location, which program it is, etc; how did it come back after a complete reformat?" }-

I think you are now mixing two seperate msg strings.

Here, on my system I never formatted since my initial setup!

In the virus forum I mentioned a format with a new setup on the pc of my friend. Still no solution for that.

What i need is a quick ISO file wich has a good AV scanner on it and, if at all possible, some of the Diamondcs files.
A 30 day trial is enough for this.
for a later date it would be nice to know how to make a bootable cd-image witch selected programs on it so i can take that along. Untill that happens, I'll take along my 250 mb USB key with all that stuff installed.

First thing is to get a good AV scanner on a bootable cd so i can remove all virusses from THAT machine.
more on that in the virus forum!

Frans

Jookse,

PE's Whois does resolve IP address correctly. You are right. But when you right click on a line in PE, choose "Resolve IP ... " and type the above IP in, then the "Host" line says: "Could not resolve IP address", though the "Country" line indicates "China". The "Host line" typically does a good job showing a detailed DNS under ARIN, but apparently not under APNIC as is the case here?

Fraha,

I was wondering about the program name and path that caused this contact with China. PE can identify this program in the first column.

Since PID is 4, are you saying that instead of a program name and file path you simply got "* SYSTEM" under the "Process column" ?

The resolve tries to find the DNS, and it looks like it is not sure.
I see in resolving rather often addresses in China but could not resolve host, for instance or addresses in AU which are lots of time on apnic too.
In this case the IP is on the Chinanet, but the node itself is in AU, so maybe this is a reason for Port Explorer to be uncertain and rather says it could not find it.

Jooske,

Thanks for making the distinction between the IP and the node, and suggesting that PE's DNS resolution may be confused because it does not make the distinction. However, I think this whole thing about resolving the DNS should be improved in PE. Maybe PE ought to be able to distinguish between IP and node in order to be no longer confused.

Therefore, I am sure you would agree that, in the spirit of improving the product, this comment should be passed on to DiamondCS. How best to do that? As a moderator, is it part of your tasks to send product-improvement suggestions to DiamondCS when they occur under your watch? Or do you think that I should do it? Or is someone else at Diamond watching, for sure, what we are writing about here and will automatically forward the suggestion to the PE programmer(s) ? Your answer here will be useful in the future, since this is my first day posting at Wilders.

Be assured the DiamondCs team is on the board frequently and will correct this if our conclusions are wrong and telling is where it is wrong or will applaud and tell us it will be on the worklist for improvements for a next version.
I remember Gavin ever long ago told there is a difference between whois and resolving, but what it exactly was and where...... must be few years ago, can have been in teh TDS forum or in this, will be some searching :(

They could be using a program like Anonymizer... It selects different proxies around the world to confuse and conceal your real IP. I'd be worried about that NWEReboot entry on your registry. One of my user's PC has been acting up lately and I found it too on the registry. A little research on google has turned up nothing. It seems to be something pretty new and nobody knows what it is.

try winipcfg release your ip wait for a bit and renew see if your still bothered
turn off system restore then purge the restore directory
run virus scan and or addaware spybot
make sure all are up to date
check your active x and script settings block 3rd party under options advanced infact remove java active x alltogether initialize trusted sites in iexplorer to minumum level and block untrusted sites check bootlog files and system install logs to see if programs bundled there software with unknown applications
check odbc in ctrl pannel for suspicious additions check to see if your using signed drivers check date time stamps on software for newly added rogues
if it just started type scanreg /restore and choose a time when your computer was running fine
to find out what is accessing use a file dependency checker!!

I would tick these for removal in Hijack This:

O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


Me personally, i wouldn't allow any sites into my Trusted Zone - very dangerous(IMO) free.aol.com is a spyware notorious for installing into your safe zones.

O15 - Trusted Zone: www.anwb.nl
O15 - Trusted Zone: http://www.diamond.com.au
O15 - Trusted Zone: www.diamondcs.com.au
O15 - Trusted Zone: http://www.devolkskrant.nl
O15 - Trusted Zone: www.euro2004.com
O15 - Trusted Zone: http://groups.msn.com
O15 - Trusted Zone: www.nos.nl
O15 - Trusted Zone: http://www.nos.nl
O15 - Trusted Zone: http://www.nosnieuws.nl
O15 - Trusted Zone: europe.real.com
O15 - Trusted Zone: nl.sitestat.com
O15 - Trusted Zone: www.tspeedtest.nl
O15 - Trusted Zone: http://home.wanadoo.nl


Some say this is an OK toolbar ... some say it's pending and some say it's spyware. I would keep my eyes on it.


O15 - Trusted Zone: www.anwb.nl
O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
O9 - Extra button: ANWB (HKLM)
O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342
http://www.spywaredata.com/spyware/toolbar.php?status=

just in case you are interested, this is the same ip address I was getting when I trialed foxmail. Here is what my NSASoft Whois brought up.

Get rid of these and your fine - tjis is a searchmaid infection.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro2004.com/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
O15 - Trusted Zone: www.euro2004.com