Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > malware problems & news
Reload this Page I need help with this Please.
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old August 13th, 2006, 12:15 AM
pitpro pitpro is offline
Infrequent Poster
  
Join Date: Aug 2006
Posts: 1
Post I need help with this Please.
I have been working on a problem for the last few days that I can't seem to resolve. I'd like some help with this please-
I have running AVG, Kerio firewall, Trojan Hunter Guard, SMC Barricade router with SPI, XP Pro SP2 patched.
I have run scans with ewido 4.0,Pest Patrol, Hijackthis, AVG, Spybot S&D, Bluelight root kit finder, Ad-Aware.
I have also gone over Hijack this log line by line, ran PurgeIE to delete all temp files, cookies, history, etc. I have seached the run area of registry, looked over running processes with a fine tooth comb, started and reviewed the windows firewall log.

Here's the problem: Watching netstat and Kerio I can see that when I am surfing, especially certain sites, my machine will connect(establish) to various Ip's in the 220.130.117.40-70 domain port: 80 Process ID=iexplore.exe opening from one to many ports briefly send/receive some bytes then go into timewait and disconnect. The IP translates to:
inetnum: 220.129.0.0 - 220.143.255.255
netname: HINET-NET
country: TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
admin-c: HN27-AP
tech-c: HN28-AP
status: ALLOCATED PORTABLE
changed: **********@twnic.net 20030611
mnt-by: MAINT-TW-TWNIC
source: APNIC

This has got me very nervous. The machine even connects to this site when the browser is not open, though a lot more infrequently. This behavior has me thinking this is some kind of keylogger/spyware that is reporting my browsing and who knows what else. Have I found something that is perfectly innocuous or what do I do from here? Kerio doesn't seem to be concerned. I searched the registry for 220 and found nothing. I looked at hosts files and found them without entries. This connection opens the most ports and connections with sites like my.yahoo and New York Times. Although like I said sometimes a connection is opened when the browser is not even open. Kerio put the word "radius" next to the connection one of the times this IP (220.137.117.55) logged a connection, but the rest of the times it was in the log it just put "http" next to it.
What is going on? ANY help would be appreciated, Thanks!
Last edited by pitpro : August 13th, 2006 at 12:19 AM. Reason: error
  #2  
Old August 13th, 2006, 02:23 AM
the Tester's Avatar
the Tester the Tester is offline
Very Frequent Poster
  
Join Date: Jul 2002
Location: The Gateway to the Blue Hills,WI.
Posts: 2,855
Default Re: I need help with this Please.
You could try ProcX from Ghost Security.It's freeware and excellent for looking at and/or terminating running processes.
It's available in this forum under "Ghost Security" category.

You could try another av program like AntiVir.
You can try an online scan like "House Call" from Trend Micro.

Hope this helps.
 

Wilders Security Forums > Other Security Topics > malware problems & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 11:49 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums