Inappropriate attempts to connect to Internet

January 3rd was the first time in years of using EditPad Lite that it froze up rather than saving a file as it should've, and Sygate Personal F/W notified me it was trying to contact "ftpext.usgs.gov" (screen snapshot attached), and that the program had changed.

I did some searching and found one association with a page I've visited often in connection with watching Mt. Saint Helen's. I don't see how it could be relevant, though, or why it would be.

Since then, every time I save a new file in EditPad Lite, NotePad, WordPad, or PrintShop, those applications try to make that same mysterious connection. The details differ slightly. My computer gets hung up for about 15 seconds while the firewall blocks them, and then it unfreezes and saves the file. When saving files that are modified rather than new, it doesn't happen, and Word is not affected.

I don't believe this is a malware problem, however it seems unwise to ignore it without understanding its cause. I've got screen snapshots of the complete information from the firewall messages for 3 different applications I can post if anyone wants to see them, too.

I use XPHome SP1, current on M$N fixes through January 10. Have Sygate Personal Firewall, AVGFree, SpywareBlaster and SpywareGuard. I keep MVPS HOSTS' latest version w/eDexter and use the Trusted and Restricted zones appropriately in IE/Avant. Firefox is my default browser. Ad-Aware and Spybot S&D are installed and I run them every couple of days. They never find anything but an occasional false positive. Per HijackThis, my system is squeaky-clean and WinPatrol reveals no processes that don't belong, either.

Will attach a screen snapshot of the notification for EditPad Lite for now. Would be grateful for any input.

 

hi, did you update EditPad Lite between these alerts and the last time you used it? i don't use Sygate but it looks like it's telling you, UNLESS YOU HAVE UPDATED IT, that it is no longer the same program! that could mean it's been updated or it's had something (dll) injected into it to make it change the way it behaves.

you could upload the exe to jottis and see what results you get.
virusscan.jotti.org/

you can also take the checksum for EditPad Lite.exe and find out the version you are using and see if you have the correct checksum. you might be able to find the checksum from Sygate. if not you can use Kana Checksum - install, or it could be a standalone i forget, then right click the exe and select checksum.
http://www.kanasolution.com/download.php?i=42

but, if you are saying afew of your notepad programs are doing this then you should do a malware scan.

the whois says it's trying to get to: US Department of the Interior
and port 21 that's the FTP server, so it looks like you are trying to connect to a server at the US Department of the Interior

 

No, it hadn't been updated...and it never tried to connect to the Internet before, either. The other notepad-type programs trying to make the same connection do not include the statement that they've changed.

Because the one image doesn't show the complete situation, I'll wait on these for now.

It's ALL my notepad-type programs, PLUS PrintShop, which is an application to make greeting cards. Will include a snapshot of that at the bottom of this post. None of my malware-detection programs are finding anything, but will try one of them if no other answer arises in a few hours...PandaScan or ?

It's puzzling. My computer has never had cause to contact the government before, and doesn't, now...except for the sites associated with Mount St. Helens when I choose to visit them.

Will post right below this with a snapshot of the notice regarding Notepad's efforts to get to the same place.

 

Here's the screen snapshot for NotePad.

I've got another snapshot of the FTP site I somehow found myself in while searching for information, too...couldn't access any of the files, though, due to being unauthorized.

Edit: Even though applications are trying to make connections outward, there's no sign of malevolent purpose (or any other purpose). I will run an online scan, though, just to confirm.

 

sorry, i wish i could help. someone will have a better idea and explaination as to what's going on. CrazyM reads this forum and P2K does abit too i think. have you tried sniffing the traffic?

it's probably something obvious we are both missing. maybe you could get the thread moved to the FW forum

 

Nothing to be sorry for. I appreciate your response. I wouldn't know where to begin packet sniffing or recognize what I was looking for if I found it, so that's not a good route for me to take on my own.

Hmmm. It never crossed my mind it might caused by the firewall; it's selective, if involved.

When it first began, SPF asked for permission a couple of times after it was set to block EditPad Lite w/o asking, but then it stopped. The programs hang up my whole system while SPF blocks their access before finally displaying what I need to give the files names. As I mentioned, files that aren't being saved for the first time don't trigger it and saving new Word files doesn't, either.

I'll mention one other thing, on the off-chance it could be connected: after using the WMF "unofficial" fix and unregistering the dll, then uninstalling, re-registering the dll and installing the "official" patch, previews of graphics on my desktop take about 20 seconds to be generated while previews of images within other folders are generated instantly, just like in the days before. It doesn't seem as if it could be related, but one of the few things I know for sure about computers is that doesn't mean it isn't!

 

did u disabled connection completly?

also why use red and black.. that's a serious EYE strainer.. wow.

 

could it be a keylogger sending your info the attacker?

 

If you mean in the firewall, yes, I did, thanks.

The colours don't display that way in parts of Windows I work in. I enjoy red and it doesn't strain my eyes at all with the way I've customized the theme I use. Seemed impractical to switch it for the snapshot since it is legible.

If I knew what it could be, I'd be asking questions in a more specific place. IMO, it's not likely a government site would be the remote location for something like that.

 

Hmm... have you tried to look at the packets it's sending, and/or tried to execute the process in a sandbox?

 

No. I never learned how to look at packets or use a packet sniffer.

I've seen mentions of allowing [a thing] to run in a sandbox, and know sandboxes restrict the abilities of [the things] that run in them, but that's not enough to be of any use. I'd need either very detailed instructions or a trusted, knowledgeable person to check it out remotely.

I appreciate you taking the time to make suggestions, though.

 

Well, with something like Sandboxie, you can see whether the file is trying to write to disk, where and what.

 

YOU can, perhaps, but I'd need to know more than I do before I'd stand a chance.

 

Hmmm... download and install Sandboxie, then click on the suspect process and choose "run sandboxed".

By the way, Sygate allows you to inspect contents of packets as well.

 

Will give it a try shortly and see if I can get it to do anything recognizable, thanks.

Where might I find that in SPF's menus? And what would I be looking for in the packets? I'm not one of this group's more tech-savvy members.

 

I never had any trouble getting to the web site at all. I just type ftp://ftpext.usgs.gov into the address bar. Or ftp://137.227.224.110 .It's a government geographical site...the readme says:

"This is a U.S. Government computer system, maintained by the U.S. Geological
Survey. U.S. Geological Survey computer systems are provided for the
processing of Official, Unclassified U.S. Geological Survey information only."

Have you installed any mapping software lately? Browser plugins or ActiveX controls? I saw a reference to the IP you mentioned here:

http://translate.google.com/transla...137.227.224.110%22&num=100&hl=en&lr=&safe=off

Perhaps whatever installed corrupted the saving of text files. You might also check your folder options/file types for .txt and search the registry for ftpext.usgs.gov or 137.227.224.110. See any new items in Add/Remove Programs?

 

I appreciate the input, but you may have misunderstood. Those applications are trying to make contact, but I'm not.

There's no potential gain from deliberately getting my browser to a U.S. Geological ftp page where I can't access the files, anyhow. I've got a screen snapshot of that, including the URL, but don't remember how I got there...

No. This started before I reinstalled Firefox last week with extensions. I don't know what mapping software does so I really doubt it. Likewise for ActiveX controls unless there are specific applications that would include them w/o mentioning it.

Am not sure what you mean. Which IP?

I found both by searching in registry...will move to recycle bin and see if that improves things. I have no idea whether finding them in the registry is significant, and if so, in what way...

 

I deleted them and the problem seems to be gone. I saved a new file created in EditPad Lite without a hiccup.

I still don't understand what happened, how or why, but thank you so much for suggesting I look for those items in my registry!

 

Would you mind posting the whole registry key location of those entries Please.

 

Thanks, Bubba.

Another friend asked me about that yesterday. I (mistakenly) expected to be able to restore the two deleted items from the Recycle Bin if need be. I'm not accustomed to doing things in the Registry and didn't think to pay attention to where they were.

All I found in the Recycle Bin was an Internet shortcut that looks like it came from my Desktop (I don't remember deleting that shortcut...) with properties: ftp://ftpext.usgs.gov/pub/wr/wa/vancouver/MSH_Images/.

I reopened Regedit and it was apparently "aimed at" the same place I'd deleted from because the other items remaining in the group are identical. The snapshot (attached) shows all in an Agent Ransack subfolder. The items listed are all searches I used Agent Ransack to do within the previous 24 hrs., including trying (and failing) to find the URL and IP address noway suggested before actually looking in the Registry using Start/Run/etc. I hadn't recognized that at the time of the first screen snapshot. Makes no sense that deleting a record of a search in my computer would've stopped my applications from trying to connect out.

I'm curious about how this happened...and what it was that happened. Do you think it's a good idea to use System Restore to go back a few days and look at the Registry? Then I'd undo it.

 

This is a screen snapshot of where I was (got lost, sort of) earlier in the morning on Jan. 3. The volcano camera was having problems and I was looking around. About 3 hours later (per the times of the screen snapshots), I got the first message from SPF about EditPad Lite trying to call out.

I couldn't access any of those files, but "MyDocs," on the right left, is My Documents.