219.145.179.103 in China on my system!

Hi all,

I keep having movement on my Harddisk so i looked at it woth PE
It seems that 219.145.179.103 is the target in China lokal port 139 and external port is 43.310

It keeps goig on and off but cannot make a connection to the outside.

It's only visible in the TCP and REMOTE tab's

Does anyone know how to get rid of this software that does this?
proces id is 4 (PID) so it's serious I guess.

How can I find out wich prg is doing this?

Frans

 

BTW, here's my hijackthis logfile.

What's is the problem?

Logfile of HijackThis v1.97.7
Scan saved at 1:14:43, on 25-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\ftp\security\regprot\regprot\regprot.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Weather Watcher\ww.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Norman\NPF\NPFMSG.EXE
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\ProcessGuard\procguard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Norman\Nvc\BIN\Zanda.exe
C:\Program Files\United Devices\UD.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\Program Files\United Devices\ud_7174683.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
C:\Program Files\Port Explorer\PortExplorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\TDS3\Ext.Plug\nbsrvem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro2004.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fraha's own explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 194.109.6.83
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy.xs4all.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://host133.ipowerweb.com/vdeck;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Total Uninstall] C:\Program Files\Total Uninstall\Tun.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CSSplash] C:\Program Files\CryptoSuite\cs_splash.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [RegProt] h:\ftp\security\regprot\regprot\regprot.exe /start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NWEReboot] C:\Program Files\Ahead\Nero\Uninstall\Unnero.exe /REMOVE="C:\DOCUME~1\FRANSH~1\LOCALS~1\Temp\RarSFX2"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CamWizard] C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TDS3] C:\TDS3\TDS-3.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [SecureItPro] C:\Program Files\SecureIt Pro\secureitpro470p.exe /LOADSILENT
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Startup: Process Guard.lnk = C:\ProcessGuard\procguard.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: StickIt Note Launcher.lnk = C:\StickIt\StickIt Launcher.exe
O4 - Startup: StickIt UDP Server.lnk = C:\StickIt\SIserver.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ANWB (HKLM)
O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: www.anwb.nl
O15 - Trusted Zone: http://www.diamond.com.au
O15 - Trusted Zone: www.diamondcs.com.au
O15 - Trusted Zone: http://www.devolkskrant.nl
O15 - Trusted Zone: www.euro2004.com
O15 - Trusted Zone: http://groups.msn.com
O15 - Trusted Zone: www.nos.nl
O15 - Trusted Zone: http://www.nos.nl
O15 - Trusted Zone: http://www.nosnieuws.nl
O15 - Trusted Zone: europe.real.com
O15 - Trusted Zone: nl.sitestat.com
O15 - Trusted Zone: www.tspeedtest.nl
O15 - Trusted Zone: http://home.wanadoo.nl
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/nl/win/QuickTimeInstaller.exe
O16 - DPF: {54BA1E8F-818D-407F-949D-BAE1692C5C18} (Attribute Class) - http://gemal.dk/browserspy/capicom.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38105.6169675926
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444554340000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fraha.instantlogic.com/XUpload.ocx
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} - http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Regards Frans

 

Hi,

Your log looks clean enough, its hard to tell what is going on. Port 139 would suggest perhaps you were portscanned by that IP on the NetBIOS ports, which your firewall should be blocking ?

I'd check fileshares and users to make sure they are all correct and have strong passwords. Then disable NetBIOS unless you absolutely NEED it for your Local Network. Finally, ensure your firewall rules block NetBIOS ports 137-139 to the internet..

 

Suppose it is on a netstat (SYSTEM) socket, and not related to an application on there?
As you blocked it, there will not be any packets to spy on (not possible on netstat sockets either), maybe set Port Listen on 139 via your TDS but since you blocked it i'm not expecting any results.
Resolving the IP doesn't give any clues either?
Does your Log File or the firewall log show anything? The Port Explorer log always shows which application is involved for the activity.

 

Hi Gavin and thanks for your reply.

The main worry is that there is constant activity on my harddisk.
When I look with port explorer there is a constant closing and opening of sockets (?) to that url.
As of today there is a connection shown in the Established tab!

All i can do is Kill socket but it's always back again after a while. mostly within the minute.

Is there a way to find out wich program is doing this?

Frans

 

To monitor hard drive activity download FileMon from www.sysinternals.com, this will give you a clear indication as to which process is actually behind the disk activity.

 

? This diskmon prg gives me constant writing of data to the HD but I cannot find any info on wich program does this.
Did I miss something?

Frans

 

Filemon, not Diskmon ...

http://www.sysinternals.com/ntw2k/source/filemon.shtml

 

Ok, ok, it's still eatly here! ;-)

After I downloaded this wonderfull program all activity to china and above mentioned IP address stopped.

I get the suspicion it has something to do with UD.com www.grid.org but This should be a first. I never noticed any activity to where ever from this program.

It could also be because I perminently closed ports 137-139 not sure yet.

I'm off to the user forum on www.grid.org to see if this could have been the problem.

I'll be back!

Thanks all!
Frans

 

UD should not have a constant connection to them: they should only upload a working packet and you send it back when ready, in the meantime you should not be connected to them all time.
I thought of those systems they would only use your spare CPU when you did not need it yourself. I ran several of their projects, but my system's performance went really bad with that, and using WinTasks i saw what really happened: it was as if the UD got preference over all resources / CPU and i was stumbling and stuttering to get my work done, RAM and CPU always at 100%.
So i closed UD, tried again several times, but since stopped it completely with great relief for all my system.
I don't want to be negative about the i think very useful projects, but on older /smaller /slower systems with too few resources it's not really advisable.
So if you had told you run UD we could have told you this part.
I do know several people with large heavy systems with all space who hardly notice anything of UD and Seti running at a time, at times several packets at a time (probably multi-user on one system) and they hardly notice anything at all. And they don't get to that 100% they told me.

So the 100% CPU / HD activity could be explained with that part.
But the constant connection to the Chinese address seems rather much! Unless your system is so superfast you're constantly sending on and forth packeches your system worked on or your UD project would be cone online!

Port Explorer should be able to throttle bandwith on those packets btw, and UD should show up with it's application icon in the list!
Honestly said i don't remember on which port it worked! Maybe something came with it which should not be there?
Did you scan the UD exe file another time and check for possible modifications?

 

It looks under control now. Have a disussion at ud.com about this.

I think i need to close down this progam too! Shame It was and is a good course...

Frans

 

Long ago when i still was running it i asked their support but never got a reply so after several times closing it and starting it after a few days and seeing the differences each time i decided to stop it completely.
Seti was less agressive on my CPU though, but this UD could use some more user's system friendly re-programming.
Close or kill it via the running process list in TDS or maybe throttling it's bandwidth via Port explorer could help, or start it manually when you go to sleep and not need your system while you are off line, whatever.......

 

WHOIS results for 219.145.179.103
Generated by www.DNSstuff.com
Country: [APNIC Unlisted]

ARIN says that this IP belongs to APNIC; I'm looking it up there.


Using cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 219.144.0.0 - 219.145.255.255
netname: CHINANET-SN
descr: CHINANET shanxi(SN) province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: XC10-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-SHAANXI
changed: ***********@ns.chinanet.cn.net 20020702
status: ALLOCATED PORTABLE
source: APNIC

person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-58501144
e-mail: ***********@ns.chinanet.cn.net
e-mail: **********@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: ***********@ns.chinanet.cn.net 20021016
remarks: hostmaster is not for spam complaint,please send spam complaint to**********@ns.chinanet.cn.net
source: APNIC

person: Xianghong Cao
address: Shaanxi province data communication Bureau
address: 8# guangde Road west development zone
address: Xi'an city, Shanxi province 710075
address: CN
phone: +8629-837-1049
fax-no: +8629-837-1049
e-mail: ******@PUBLIC.XA.SN.CN
nic-hdl: XC10-AP
mnt-by: MAINT-CHINANET-SHAANXI
changed: ******@PUBLIC.XA.SN.CN 20011203
source: APNIC



[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.



--------------------------------------------------------------------------------

(C) Copyright 2000-2004 R. Scott Perry

 

Funny ----- the NetGeo location: ( new dns stuff expert site: http://www.dnsstuff.com/pages/expert.htm )

VERSION=1.0

TARGET: 219.145.179.103
NAME: APNIC-AP
NUMBER: 219.0.0.0 - 219.255.255.255
CITY: MILTON
STATE: NEW SOUTH WALES (state)
COUNTRY: AU
LAT: -35.32
LONG: 150.40
LAT_LONG_GRAN: City
LAST_UPDATED:
NIC: APNIC
LOOKUP_TYPE: Block Allocation
RATING:
DOMAIN_GUESS: apnic.net
STATUS: OK

 

Funny, why is the country not China? The result is wrong i think.

 

Using Proxies?

 

No, no proxies in use here!


Frans

 

Not you, the China IP. But of course it can also be an AU based domain registrered on Chinanet; sound rather logical or such a thing. Only little different as China was in your Country-code, not AU.
Did the activity come back in the meantime, and did you shut down occasionally the UD to see if it could be related?

 

It really said China in PE.

Perhaps the problem is no problem at all!

Could it be that the net-bus emulator does things like this?
Only now I noticed the last columns in PE's 'established' tab. There are never any numbers there, so i guess the alarm is 'loos' ?

Still seeing 'connections' but now from BR (Brazil) and other, not so great countries (as far as relay's are concerned)

If so, I'm sorry for the stirr...

Frans

 

(for the non-dutchies, "loos alarm" has nothing to do with loo's although in fact it has as it means false alarm which we rather flush)

I'm not sure Frans, anything could have been the matter, maybe another infection, hack, intrusion, stealing your bandwidth, using your system as a proxy, anything. Should be really imperative to check all your logs, updat all your scanners and in this case a daily full system scan with all options checked, an extra online scan , grc.com shields up, at www.wilders.org try all available online tests, as it looks like a backdoor installed. No rootkits detected? ProcessGuard working fine?
A router installed?
Maybe you can post the AutoStartViewer log, or if that is too private send it to support@diamondcs.com.au as it shows more then the HJT log.
euhmmm you reformatted since the other log? Post a new one please, as i simply don't trust what's happening. And close all kinds of distributed networks for a few days, seti, UD, kazaa, all messengers, etc etc. Check the msconfig for all startups, everything.

 

Yes, sorry about the Dutch word. could not find an English word for that! ;-)

Router is and has always been installed. It's a Draytek Vigor 2200E. The one with the cables! Everything is wired here!

complete scan done yesterday and almost every day. Only one problem detected and unremovable is a piece of software to remote ADMIN.
This software never worked for me but I cannot get rid of it. File locked somehow.
Strange this did not show up in mij HJ log!

I'm doing a tds scan now so I can tell you more about this problem! Perhaps this is the problem, never know.
Not likeley btw, the firewall is on for this prg. no chance that gets to the internet!

I even forgot the name of that prg. will be back later with more info on this

Frans

 

What can you tell about the remote admin? location, which program it is, etc; how did it come back after a complete reformat?

 

This is my first post at Wilders. 3 Port Explorers are installed at home. What an excellent eye opening software! A few remarks on this thread.

1. What puzzles me with the initial post on this thread is that Port Explorer should have detected the name AND path of the program that connects to China. I don't think this information has been given here yet.

2. This IP -- 219.145.179.103 -- should be resolved at the source since Port Explorer cannot resolve it. Source is http://www.apnic.net/ for Asia. There are 4 regional Internet address authorities for the world, of which APNIC is for Asia. When these regional authorities allocate IP addresses, they require disclosure of information such as phone numbers, persons in charge, etc., which brings me to the next point.

3. The e-mail addresses that were hidden at the other source are actually legible at APNIC:
hostmaster@ns.chinanet.cn.net
anti-spam@ns.chinanet.cn.net
IPADM@PUBLIC.XA.SN.CN (contact Xianghong Cao).

4. After I started using the 4-port DSL Linksys router with firmware version 1.37 in the year 2000, ZoneAlarm intercepted no intrusion attempt for a while. This was due to the masking effect of the router. But gradually, ZA started to pick up attempts (which means I ought to upgrade the router firmware). Interestingly, those attempts have been from rather sophisticated places, mostly some TELECOMs and university computer science departments. So some people know how to scan through the 1.37 Linksys router. Those telecoms have been mostly from Italy, France, South Korea and China.... which leads me to the final point.

5. Port Explorer could only identify that 219.145.179.103 was from China but could not provide more details. Since there are sophisticated people all over the world, including hackers and thieves, I suggest that the otherwise excellent PE be upgraded to resolve IP addresses from all over the world.

 

Hi there, and welcome!
What am i missing? 219.145.179.103 resolves/ whois-es to Chinanet with Port Explorer?
If you let it search automated, or you can click the apnic net if you like.
What do you see more then Chinanet? except for the node location i found...

 

I think you are now mixing two seperate msg strings.

Here, on my system I never formatted since my initial setup!

In the virus forum I mentioned a format with a new setup on the pc of my friend. Still no solution for that.

What i need is a quick ISO file wich has a good AV scanner on it and, if at all possible, some of the Diamondcs files.
A 30 day trial is enough for this.
for a later date it would be nice to know how to make a bootable cd-image witch selected programs on it so i can take that along. Untill that happens, I'll take along my 250 mb USB key with all that stuff installed.

First thing is to get a good AV scanner on a bootable cd so i can remove all virusses from THAT machine.
more on that in the virus forum!

Frans