I need help with this Please.

Discussion in 'malware problems & news' started by pitpro, Aug 13, 2006.

Thread Status:
Not open for further replies.
  1. pitpro

    pitpro Registered Member

    Joined:
    Aug 12, 2006
    Posts:
    1
    I have been working on a problem for the last few days that I can't seem to resolve. I'd like some help with this please-
    I have running AVG, Kerio firewall, Trojan Hunter Guard, SMC Barricade router with SPI, XP Pro SP2 patched.
    I have run scans with ewido 4.0,Pest Patrol, Hijackthis, AVG, Spybot S&D, Bluelight root kit finder, Ad-Aware.
    I have also gone over Hijack this log line by line, ran PurgeIE to delete all temp files, cookies, history, etc. I have seached the run area of registry, looked over running processes with a fine tooth comb, started and reviewed the windows firewall log.

    Here's the problem: Watching netstat and Kerio I can see that when I am surfing, especially certain sites, my machine will connect(establish) to various Ip's in the 220.130.117.40-70 domain port: 80 Process ID=iexplore.exe opening from one to many ports briefly send/receive some bytes then go into timewait and disconnect. The IP translates to:
    inetnum: 220.129.0.0 - 220.143.255.255
    netname: HINET-NET
    country: TW
    descr: CHTD, Chunghwa Telecom Co.,Ltd.
    descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
    descr: Taipei Taiwan 100
    admin-c: HN27-AP
    tech-c: HN28-AP
    status: ALLOCATED PORTABLE
    changed: **********@twnic.net 20030611
    mnt-by: MAINT-TW-TWNIC
    source: APNIC

    This has got me very nervous. The machine even connects to this site when the browser is not open, though a lot more infrequently. This behavior has me thinking this is some kind of keylogger/spyware that is reporting my browsing and who knows what else. Have I found something that is perfectly innocuous or what do I do from here? Kerio doesn't seem to be concerned. I searched the registry for 220 and found nothing. I looked at hosts files and found them without entries. This connection opens the most ports and connections with sites like my.yahoo and New York Times. Although like I said sometimes a connection is opened when the browser is not even open. Kerio put the word "radius" next to the connection one of the times this IP (220.137.117.55) logged a connection, but the rest of the times it was in the log it just put "http" next to it.
    What is going on? ANY help would be appreciated, Thanks!
     
    Last edited: Aug 13, 2006
  2. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    You could try ProcX from Ghost Security.It's freeware and excellent for looking at and/or terminating running processes.
    It's available in this forum under "Ghost Security" category.

    You could try another av program like AntiVir.
    You can try an online scan like "House Call" from Trend Micro.

    Hope this helps.
     
Loading...
Thread Status:
Not open for further replies.