219.145.179.103 in China on my system!

Discussion in 'Port Explorer' started by Fraha, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi all,

    I keep having movement on my Harddisk so i looked at it woth PE
    It seems that 219.145.179.103 is the target in China lokal port 139 and external port is 43.310

    It keeps goig on and off but cannot make a connection to the outside.

    It's only visible in the TCP and REMOTE tab's

    Does anyone know how to get rid of this software that does this?
    proces id is 4 (PID) so it's serious I guess.

    How can I find out wich prg is doing this?

    Frans
     
  2. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    BTW, here's my hijackthis logfile.

    What's is the problem?

    Logfile of HijackThis v1.97.7
    Scan saved at 1:14:43, on 25-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    H:\ftp\security\regprot\regprot\regprot.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\LVCOMSX.EXE
    C:\Weather Watcher\ww.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\MailWasher Pro\MailWasher.exe
    C:\ProcessGuard\procguard.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\ProcessGuard\dcsuserprot.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Norman\Nvc\BIN\Zanda.exe
    C:\Program Files\United Devices\UD.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\Program Files\United Devices\ud_7174683.exe
    C:\WINDOWS\System32\svchost.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
    C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
    C:\Program Files\Port Explorer\PortExplorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\TDS3\Ext.Plug\nbsrvem.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro2004.com/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fraha's own explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 194.109.6.83
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy.xs4all.nl:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://host133.ipowerweb.com/vdeck;;localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {904691A1-C588-4B27-BC47-D8599EDB3F97} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Total Uninstall] C:\Program Files\Total Uninstall\Tun.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CSSplash] C:\Program Files\CryptoSuite\cs_splash.exe
    O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
    O4 - HKLM\..\Run: [RegProt] h:\ftp\security\regprot\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [NWEReboot] C:\Program Files\Ahead\Nero\Uninstall\Unnero.exe /REMOVE="C:\DOCUME~1\FRANSH~1\LOCALS~1\Temp\RarSFX2"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [CamWizard] C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [TDS3] C:\TDS3\TDS-3.exe
    O4 - HKCU\..\Run: [WeatherWatcher] C:\Weather Watcher\ww.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    O4 - HKCU\..\Run: [SecureItPro] C:\Program Files\SecureIt Pro\secureitpro470p.exe /LOADSILENT
    O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
    O4 - Startup: Process Guard.lnk = C:\ProcessGuard\procguard.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: StickIt Note Launcher.lnk = C:\StickIt\StickIt Launcher.exe
    O4 - Startup: StickIt UDP Server.lnk = C:\StickIt\SIserver.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NPF Messenger.lnk = ?
    O4 - Global Startup: PGPtray.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: ANWB (HKLM)
    O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O15 - Trusted Zone: www.anwb.nl
    O15 - Trusted Zone: http://www.diamond.com.au
    O15 - Trusted Zone: www.diamondcs.com.au
    O15 - Trusted Zone: http://www.devolkskrant.nl
    O15 - Trusted Zone: www.euro2004.com
    O15 - Trusted Zone: http://groups.msn.com
    O15 - Trusted Zone: www.nos.nl
    O15 - Trusted Zone: http://www.nos.nl
    O15 - Trusted Zone: http://www.nosnieuws.nl
    O15 - Trusted Zone: europe.real.com
    O15 - Trusted Zone: nl.sitestat.com
    O15 - Trusted Zone: www.tspeedtest.nl
    O15 - Trusted Zone: http://home.wanadoo.nl
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/nl/win/QuickTimeInstaller.exe
    O16 - DPF: {54BA1E8F-818D-407F-949D-BAE1692C5C18} (Attribute Class) - http://gemal.dk/browserspy/capicom.dll
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38105.6169675926
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444554340000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fraha.instantlogic.com/XUpload.ocx
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} - http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

    Regards Frans
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Your log looks clean enough, its hard to tell what is going on. Port 139 would suggest perhaps you were portscanned by that IP on the NetBIOS ports, which your firewall should be blocking ?

    I'd check fileshares and users to make sure they are all correct and have strong passwords. Then disable NetBIOS unless you absolutely NEED it for your Local Network. Finally, ensure your firewall rules block NetBIOS ports 137-139 to the internet..
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Suppose it is on a netstat (SYSTEM) socket, and not related to an application on there?
    As you blocked it, there will not be any packets to spy on (not possible on netstat sockets either), maybe set Port Listen on 139 via your TDS but since you blocked it i'm not expecting any results.
    Resolving the IP doesn't give any clues either?
    Does your Log File or the firewall log show anything? The Port Explorer log always shows which application is involved for the activity.
     
  5. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi Gavin and thanks for your reply.

    The main worry is that there is constant activity on my harddisk.
    When I look with port explorer there is a constant closing and opening of sockets (?) to that url.
    As of today there is a connection shown in the Established tab!

    All i can do is Kill socket but it's always back again after a while. mostly within the minute.

    Is there a way to find out wich program is doing this?

    Frans
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    To monitor hard drive activity download FileMon from www.sysinternals.com, this will give you a clear indication as to which process is actually behind the disk activity.
     
  7. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    ? This diskmon prg gives me constant writing of data to the HD but I cannot find any info on wich program does this.
    Did I miss something?

    Frans
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
  9. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Ok, ok, it's still eatly here! ;-)

    After I downloaded this wonderfull program all activity to china and above mentioned IP address stopped.

    I get the suspicion it has something to do with UD.com www.grid.org but This should be a first. I never noticed any activity to where ever from this program.

    It could also be because I perminently closed ports 137-139 not sure yet.

    I'm off to the user forum on www.grid.org to see if this could have been the problem.

    I'll be back!

    Thanks all!
    Frans
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    UD should not have a constant connection to them: they should only upload a working packet and you send it back when ready, in the meantime you should not be connected to them all time.
    I thought of those systems they would only use your spare CPU when you did not need it yourself. I ran several of their projects, but my system's performance went really bad with that, and using WinTasks i saw what really happened: it was as if the UD got preference over all resources / CPU and i was stumbling and stuttering to get my work done, RAM and CPU always at 100%.
    So i closed UD, tried again several times, but since stopped it completely with great relief for all my system.
    I don't want to be negative about the i think very useful projects, but on older /smaller /slower systems with too few resources it's not really advisable.
    So if you had told you run UD we could have told you this part.
    I do know several people with large heavy systems with all space who hardly notice anything of UD and Seti running at a time, at times several packets at a time (probably multi-user on one system) and they hardly notice anything at all. And they don't get to that 100% they told me.

    So the 100% CPU / HD activity could be explained with that part.
    But the constant connection to the Chinese address seems rather much! Unless your system is so superfast you're constantly sending on and forth packeches your system worked on or your UD project would be cone online!

    Port Explorer should be able to throttle bandwith on those packets btw, and UD should show up with it's application icon in the list!
    Honestly said i don't remember on which port it worked! Maybe something came with it which should not be there?
    Did you scan the UD exe file another time and check for possible modifications?
     
  11. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    It looks under control now. Have a disussion at ud.com about this.

    I think i need to close down this progam too! Shame It was and is a good course...

    Frans
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Long ago when i still was running it i asked their support but never got a reply so after several times closing it and starting it after a few days and seeing the differences each time i decided to stop it completely.
    Seti was less agressive on my CPU though, but this UD could use some more user's system friendly re-programming.
    Close or kill it via the running process list in TDS or maybe throttling it's bandwidth via Port explorer could help, or start it manually when you go to sleep and not need your system while you are off line, whatever.......
     
  13. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    WHOIS results for 219.145.179.103
    Generated by www.DNSstuff.com
    Country: [APNIC Unlisted]

    ARIN says that this IP belongs to APNIC; I'm looking it up there.


    Using cached answer (or, you can get fresh results).
    Hiding E-mail address (you can get results with the E-mail address).

    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 219.144.0.0 - 219.145.255.255
    netname: CHINANET-SN
    descr: CHINANET shanxi(SN) province network
    descr: China Telecom
    descr: No.31,jingrong street
    descr: Beijing 100032
    country: CN
    admin-c: CH93-AP
    tech-c: XC10-AP
    mnt-by: MAINT-CHINANET
    mnt-lower: MAINT-CHINANET-SHAANXI
    changed: ***********@ns.chinanet.cn.net 20020702
    status: ALLOCATED PORTABLE
    source: APNIC

    person: Chinanet Hostmaster
    address: No.31 ,jingrong street,beijing
    address: 100032
    country: CN
    phone: +86-10-66027112
    fax-no: +86-10-58501144
    e-mail: ***********@ns.chinanet.cn.net
    e-mail: **********@ns.chinanet.cn.net
    nic-hdl: CH93-AP
    mnt-by: MAINT-CHINANET
    changed: ***********@ns.chinanet.cn.net 20021016
    remarks: hostmaster is not for spam complaint,please send spam complaint to**********@ns.chinanet.cn.net
    source: APNIC

    person: Xianghong Cao
    address: Shaanxi province data communication Bureau
    address: 8# guangde Road west development zone
    address: Xi'an city, Shanxi province 710075
    address: CN
    phone: +8629-837-1049
    fax-no: +8629-837-1049
    e-mail: ******@PUBLIC.XA.SN.CN
    nic-hdl: XC10-AP
    mnt-by: MAINT-CHINANET-SHAANXI
    changed: ******@PUBLIC.XA.SN.CN 20011203
    source: APNIC



    [If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.



    --------------------------------------------------------------------------------

    (C) Copyright 2000-2004 R. Scott Perry
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Funny ----- the NetGeo location: ( new dns stuff expert site: http://www.dnsstuff.com/pages/expert.htm )

    VERSION=1.0

    TARGET: 219.145.179.103
    NAME: APNIC-AP
    NUMBER: 219.0.0.0 - 219.255.255.255
    CITY: MILTON
    STATE: NEW SOUTH WALES (state)
    COUNTRY: AU
    LAT: -35.32
    LONG: 150.40
    LAT_LONG_GRAN: City
    LAST_UPDATED:
    NIC: APNIC
    LOOKUP_TYPE: Block Allocation
    RATING:
    DOMAIN_GUESS: apnic.net
    STATUS: OK
     
    Last edited: Jun 28, 2004
  15. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647

    Funny, why is the country not China? The result is wrong i think.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Using Proxies?
     
  17. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    No, no proxies in use here!


    Frans
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Not you, the China IP. But of course it can also be an AU based domain registrered on Chinanet; sound rather logical or such a thing. Only little different as China was in your Country-code, not AU.
    Did the activity come back in the meantime, and did you shut down occasionally the UD to see if it could be related?
     
  19. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    It really said China in PE.

    Perhaps the problem is no problem at all!

    Could it be that the net-bus emulator does things like this?
    Only now I noticed the last columns in PE's 'established' tab. There are never any numbers there, so i guess the alarm is 'loos' ?

    Still seeing 'connections' but now from BR (Brazil) and other, not so great countries (as far as relay's are concerned)

    If so, I'm sorry for the stirr... :blink:

    Frans
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    (for the non-dutchies, "loos alarm" has nothing to do with loo's although in fact it has as it means false alarm which we rather flush)

    I'm not sure Frans, anything could have been the matter, maybe another infection, hack, intrusion, stealing your bandwidth, using your system as a proxy, anything. Should be really imperative to check all your logs, updat all your scanners and in this case a daily full system scan with all options checked, an extra online scan , grc.com shields up, at www.wilders.org try all available online tests, as it looks like a backdoor installed. No rootkits detected? ProcessGuard working fine?
    A router installed?
    Maybe you can post the AutoStartViewer log, or if that is too private send it to support@diamondcs.com.au as it shows more then the HJT log.
    euhmmm you reformatted since the other log? Post a new one please, as i simply don't trust what's happening. And close all kinds of distributed networks for a few days, seti, UD, kazaa, all messengers, etc etc. Check the msconfig for all startups, everything.
     
  21. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Yes, sorry about the Dutch word. could not find an English word for that! ;-)

    Router is and has always been installed. It's a Draytek Vigor 2200E. The one with the cables! Everything is wired here!

    complete scan done yesterday and almost every day. Only one problem detected and unremovable is a piece of software to remote ADMIN.
    This software never worked for me but I cannot get rid of it. File locked somehow.
    Strange this did not show up in mij HJ log!

    I'm doing a tds scan now so I can tell you more about this problem! Perhaps this is the problem, never know.
    Not likeley btw, the firewall is on for this prg. no chance that gets to the internet!

    I even forgot the name of that prg. will be back later with more info on this

    Frans
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    What can you tell about the remote admin? location, which program it is, etc; how did it come back after a complete reformat?
     
  23. Pigitus

    Pigitus Guest

    This is my first post at Wilders. 3 Port Explorers are installed at home. What an excellent eye opening software! A few remarks on this thread.

    1. What puzzles me with the initial post on this thread is that Port Explorer should have detected the name AND path of the program that connects to China. I don't think this information has been given here yet.

    2. This IP -- 219.145.179.103 -- should be resolved at the source since Port Explorer cannot resolve it. Source is http://www.apnic.net/ for Asia. There are 4 regional Internet address authorities for the world, of which APNIC is for Asia. When these regional authorities allocate IP addresses, they require disclosure of information such as phone numbers, persons in charge, etc., which brings me to the next point.

    3. The e-mail addresses that were hidden at the other source are actually legible at APNIC:
    hostmaster@ns.chinanet.cn.net
    anti-spam@ns.chinanet.cn.net
    IPADM@PUBLIC.XA.SN.CN (contact Xianghong Cao).

    4. After I started using the 4-port DSL Linksys router with firmware version 1.37 in the year 2000, ZoneAlarm intercepted no intrusion attempt for a while. This was due to the masking effect of the router. But gradually, ZA started to pick up attempts (which means I ought to upgrade the router firmware). Interestingly, those attempts have been from rather sophisticated places, mostly some TELECOMs and university computer science departments. So some people know how to scan through the 1.37 Linksys router. Those telecoms have been mostly from Italy, France, South Korea and China.... which leads me to the final point.

    5. Port Explorer could only identify that 219.145.179.103 was from China but could not provide more details. Since there are sophisticated people all over the world, including hackers and thieves, I suggest that the otherwise excellent PE be upgraded to resolve IP addresses from all over the world.
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, and welcome!
    What am i missing? 219.145.179.103 resolves/ whois-es to Chinanet with Port Explorer?
    If you let it search automated, or you can click the apnic net if you like.
    What do you see more then Chinanet? except for the node location i found...
     
  25. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    I think you are now mixing two seperate msg strings.

    Here, on my system I never formatted since my initial setup!

    In the virus forum I mentioned a format with a new setup on the pc of my friend. Still no solution for that.

    What i need is a quick ISO file wich has a good AV scanner on it and, if at all possible, some of the Diamondcs files.
    A 30 day trial is enough for this.
    for a later date it would be nice to know how to make a bootable cd-image witch selected programs on it so i can take that along. Untill that happens, I'll take along my 250 mb USB key with all that stuff installed.

    First thing is to get a good AV scanner on a bootable cd so i can remove all virusses from THAT machine.
    more on that in the virus forum!

    Frans
     
Thread Status:
Not open for further replies.