Inappropriate attempts to connect to Internet

Discussion in 'other firewalls' started by jayzzz, Jan 22, 2006.

Thread Status:
Not open for further replies.
  1. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    January 3rd was the first time in years of using EditPad Lite that it froze up rather than saving a file as it should've, and Sygate Personal F/W notified me it was trying to contact "ftpext.usgs.gov" (screen snapshot attached), and that the program had changed.

    I did some searching and found one association with a page I've visited often in connection with watching Mt. Saint Helen's. I don't see how it could be relevant, though, or why it would be.

    Since then, every time I save a new file in EditPad Lite, NotePad, WordPad, or PrintShop, those applications try to make that same mysterious connection. The details differ slightly. My computer gets hung up for about 15 seconds while the firewall blocks them, and then it unfreezes and saves the file. When saving files that are modified rather than new, it doesn't happen, and Word is not affected.

    I don't believe this is a malware problem, however it seems unwise to ignore it without understanding its cause. I've got screen snapshots of the complete information from the firewall messages for 3 different applications I can post if anyone wants to see them, too.

    I use XPHome SP1, current on M$N fixes through January 10. Have Sygate Personal Firewall, AVGFree, SpywareBlaster and SpywareGuard. I keep MVPS HOSTS' latest version w/eDexter and use the Trusted and Restricted zones appropriately in IE/Avant. Firefox is my default browser. Ad-Aware and Spybot S&D are installed and I run them every couple of days. They never find anything but an occasional false positive. Per HijackThis, my system is squeaky-clean and WinPatrol reveals no processes that don't belong, either.

    Will attach a screen snapshot of the notification for EditPad Lite for now. Would be grateful for any input. :)
     

    Attached Files:

  2. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, did you update EditPad Lite between these alerts and the last time you used it? i don't use Sygate but it looks like it's telling you, UNLESS YOU HAVE UPDATED IT, that it is no longer the same program! that could mean it's been updated or it's had something (dll) injected into it to make it change the way it behaves.

    you could upload the exe to jottis and see what results you get.
    virusscan.jotti.org/

    you can also take the checksum for EditPad Lite.exe and find out the version you are using and see if you have the correct checksum. you might be able to find the checksum from Sygate. if not you can use Kana Checksum - install, or it could be a standalone i forget, then right click the exe and select checksum.
    http://www.kanasolution.com/download.php?i=42

    but, if you are saying afew of your notepad programs are doing this then you should do a malware scan.

    the whois says it's trying to get to: US Department of the Interior
    and port 21 that's the FTP server, so it looks like you are trying to connect to a server at the US Department of the Interior
     
    Last edited: Jan 23, 2006
  3. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    No, it hadn't been updated...and it never tried to connect to the Internet before, either. The other notepad-type programs trying to make the same connection do not include the statement that they've changed.
    Because the one image doesn't show the complete situation, I'll wait on these for now.

    It's ALL my notepad-type programs, PLUS PrintShop, which is an application to make greeting cards. Will include a snapshot of that at the bottom of this post. None of my malware-detection programs are finding anything, but will try one of them if no other answer arises in a few hours...PandaScan or ?

    It's puzzling. My computer has never had cause to contact the government before, and doesn't, now...except for the sites associated with Mount St. Helens when I choose to visit them.

    Will post right below this with a snapshot of the notice regarding Notepad's efforts to get to the same place.
     

    Attached Files:

  4. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    Here's the screen snapshot for NotePad.

    I've got another snapshot of the FTP site I somehow found myself in while searching for information, too...couldn't access any of the files, though, due to being unauthorized.

    Edit: Even though applications are trying to make connections outward, there's no sign of malevolent purpose (or any other purpose). I will run an online scan, though, just to confirm.
     

    Attached Files:

    Last edited: Jan 23, 2006
  5. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    sorry, i wish i could help. someone will have a better idea and explaination as to what's going on. CrazyM reads this forum and P2K does abit too i think. have you tried sniffing the traffic?

    it's probably something obvious we are both missing. maybe you could get the thread moved to the FW forum :doubt:
     
  6. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    Nothing to be sorry for. I appreciate your response. :) I wouldn't know where to begin packet sniffing or recognize what I was looking for if I found it, so that's not a good route for me to take on my own.

    Hmmm. It never crossed my mind it might caused by the firewall; it's selective, if involved.

    When it first began, SPF asked for permission a couple of times after it was set to block EditPad Lite w/o asking, but then it stopped. The programs hang up my whole system while SPF blocks their access before finally displaying what I need to give the files names. As I mentioned, files that aren't being saved for the first time don't trigger it and saving new Word files doesn't, either. :doubt:

    I'll mention one other thing, on the off-chance it could be connected: after using the WMF "unofficial" fix and unregistering the dll, then uninstalling, re-registering the dll and installing the "official" patch, previews of graphics on my desktop take about 20 seconds to be generated while previews of images within other folders are generated instantly, just like in the days before. It doesn't seem as if it could be related, but one of the few things I know for sure about computers is that doesn't mean it isn't! ;)
     
  7. ulook

    ulook Guest

    did u disabled connection completly?

    also why use red and black.. that's a serious EYE strainer.. wow.
     
  8. metallicakid15

    metallicakid15 Registered Member

    Joined:
    Dec 6, 2005
    Posts:
    454
    could it be a keylogger sending your info the attacker?
     
  9. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    If you mean in the firewall, yes, I did, thanks.

    The colours don't display that way in parts of Windows I work in. I enjoy red and it doesn't strain my eyes at all with the way I've customized the theme I use. Seemed impractical to switch it for the snapshot since it is legible.

    If I knew what it could be, I'd be asking questions in a more specific place. IMO, it's not likely a government site would be the remote location for something like that.
     
  10. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmm... have you tried to look at the packets it's sending, and/or tried to execute the process in a sandbox?
     
  11. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    No. I never learned how to look at packets or use a packet sniffer.

    I've seen mentions of allowing [a thing] to run in a sandbox, and know sandboxes restrict the abilities of [the things] that run in them, but that's not enough to be of any use. I'd need either very detailed instructions or a trusted, knowledgeable person to check it out remotely.

    I appreciate you taking the time to make suggestions, though. :)
     
  12. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, with something like Sandboxie, you can see whether the file is trying to write to disk, where and what.
     
  13. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    YOU can, perhaps, but I'd need to know more than I do before I'd stand a chance. ;)
     
  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm... download and install Sandboxie, then click on the suspect process and choose "run sandboxed". ;)

    By the way, Sygate allows you to inspect contents of packets as well. ;)
     
  15. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    Will give it a try shortly and see if I can get it to do anything recognizable, thanks.

    Where might I find that in SPF's menus? And what would I be looking for in the packets? I'm not one of this group's more tech-savvy members. :cautious:
     
  16. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    I never had any trouble getting to the web site at all. I just type ftp://ftpext.usgs.gov into the address bar. Or ftp://137.227.224.110 .It's a government geographical site...the readme says:

    "This is a U.S. Government computer system, maintained by the U.S. Geological
    Survey. U.S. Geological Survey computer systems are provided for the
    processing of Official, Unclassified U.S. Geological Survey information only."

    Have you installed any mapping software lately? Browser plugins or ActiveX controls? I saw a reference to the IP you mentioned here:

    http://translate.google.com/transla...137.227.224.110%22&num=100&hl=en&lr=&safe=off

    Perhaps whatever installed corrupted the saving of text files. You might also check your folder options/file types for .txt and search the registry for ftpext.usgs.gov or 137.227.224.110. See any new items in Add/Remove Programs?
     
  17. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    I appreciate the input, but you may have misunderstood. Those applications are trying to make contact, but I'm not.

    There's no potential gain from deliberately getting my browser to a U.S. Geological ftp page where I can't access the files, anyhow. I've got a screen snapshot of that, including the URL, but don't remember how I got there...

    No. This started before I reinstalled Firefox last week with extensions. I don't know what mapping software does so I really doubt it. Likewise for ActiveX controls unless there are specific applications that would include them w/o mentioning it.

    Am not sure what you mean. Which IP?

    I found both by searching in registry...will move to recycle bin and see if that improves things. I have no idea whether finding them in the registry is significant, and if so, in what way...
     

    Attached Files:

  18. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    I deleted them and the problem seems to be gone. I saved a new file created in EditPad Lite without a hiccup.

    I still don't understand what happened, how or why, but thank you so much for suggesting I look for those items in my registry!
     

    Attached Files:

    • rose.gif
      rose.gif
      File size:
      776 bytes
      Views:
      143
  19. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Would you mind posting the whole registry key location of those entries Please.
     
  20. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    Thanks, Bubba.

    Another friend asked me about that yesterday. I (mistakenly) expected to be able to restore the two deleted items from the Recycle Bin if need be. I'm not accustomed to doing things in the Registry and didn't think :blink: to pay attention to where they were. :cautious:

    All I found in the Recycle Bin was an Internet shortcut that looks like it came from my Desktop (I don't remember deleting that shortcut...) with properties: ftp://ftpext.usgs.gov/pub/wr/wa/vancouver/MSH_Images/.

    I reopened Regedit and it was apparently "aimed at" the same place I'd deleted from because the other items remaining in the group are identical. The snapshot (attached) shows all in an Agent Ransack subfolder. The items listed are all searches I used Agent Ransack to do within the previous 24 hrs., including trying (and failing) to find the URL and IP address noway suggested before actually looking in the Registry using Start/Run/etc. I hadn't recognized that at the time of the first screen snapshot. Makes no sense that deleting a record of a search in my computer would've stopped my applications from trying to connect out. :doubt:

    I'm curious about how this happened...and what it was that happened. Do you think it's a good idea to use System Restore to go back a few days and look at the Registry? Then I'd undo it.
     

    Attached Files:

  21. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    This is a screen snapshot of where I was (got lost, sort of) earlier in the morning on Jan. 3. The volcano camera was having problems and I was looking around. About 3 hours later (per the times of the screen snapshots), I got the first message from SPF about EditPad Lite trying to call out.

    I couldn't access any of those files, but "MyDocs," on the right left, is My Documents.
     

    Attached Files:

    Last edited: Jan 25, 2006
Loading...
Thread Status:
Not open for further replies.