Possible Trojan?

Discussion in 'malware problems & news' started by mVPstar, Dec 30, 2004.

Thread Status:
Not open for further replies.
  1. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Okay, I was busy browsing today on my newly downloaded browser "Maxthon".


    I was searching for plugins and came across some geocities site describing the "neat features" of Maxthon (MYIE2).


    When I was on that site, my Norton Personal Firewall 2003 prompted that Maxton was trying to access (geocities, 66.218.77.68 on port 80)


    I disallowed access.

    I then went to play around with a .NET program I had made (It was a game of Jeopardy). When I was playing it, my NPF reported that Jeopardy was trying to access (geocities, 66.218.77.68 on port 80).

    I denied access to that.

    I scanned my computer with NAV2003, Bit Defender Online Scanner, adawareSE, and bazzoka. All programs came clean.

    Nothing else has happened, although, everytime I rebuild and run that program, the program sometimes wants to connect to that IP address and I have to deny access everytime.

    What trojan/virus is this and if there isn't one, how do I fix this problem?

    Recap, the IP address the programs connect to is:
    (geocities, 66.218.77.68 on port 80)
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi mVPstar, and welcome to Wilders.

    That netblock belongs to Yahoo.

    -----
    OrgName: Yahoo!
    OrgID: YAOO
    Address: 701 First Avenue
    City: Sunnyvale
    StateProv: CA
    PostalCode: 94089
    Country: US

    NetRange: 66.218.64.0 - 66.218.95.255
    CIDR: 66.218.64.0/19
    NetName: A-YAHOO-U23
    NetHandle: NET-66-218-64-0-1
    Parent: NET-66-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.YAHOO.COM
    NameServer: NS2.YAHOO.COM
    NameServer: NS3.YAHOO.COM
    NameServer: NS4.YAHOO.COM
    NameServer: NS5.YAHOO.COM
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2002-01-15
    Updated: 2002-06-27

    TechHandle: NA258-ARIN
    TechName: Netblock Admin
    TechPhone: +1-408-349-3300
    TechEmail: netblockadmin@yahoo-inc.com

    OrgTechHandle: NA258-ARIN
    OrgTechName: Netblock Admin
    OrgTechPhone: +1-408-349-3300
    OrgTechEmail: netblockadmin@yahoo-inc.com
    -------

    Do you have yahoo messenger/pager installed or running?

    I do not use Norton Personal Firewall myself, but this may be something you can check in it's settings. Hopefully someone that uses NPF and/or yahoo will be able to add more. (If it does turn out to be firewall settings, then I'll move this thread over into the "Other Firewall Forum" )

    Regards,

    snap
     
  3. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    What's interesting is, I used a program called ipnetinfo to resolve an IP address. When I type www.geocities.com , I get that IP address: 66.218.77.68 and then the program goes on about how it's Yahoo's reserved block..

    Anyways, whether it's yahoo's or geocities, there's still probably something on my computer and nothing appears to detect it. For now, I created a block all rule for connections to that IP address.

    I can't quite remember what site I went to, but it was some geocities site that was talking about MyIE2 (Maxthon) and how good it was.. Then suddenly NPF says something about the program trying to connect to geocities.

    What could it be?


    EDIT: Found the site: hxxp://www.geocities.com/hhstrumpet/tv.html"]http://www.geocities.com/hhstrumpet/tv.html
     
    Last edited by a moderator: Dec 30, 2004
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  5. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Hmm, I think I've narrowed down the possible infection.

    It seems that when I installed Maxthon, it automatically became the default browser, even though it shouldn't have. So whenever I used my .NET Jeopardy game :p, when it accesses the internet to collect its data, it uses the Maxthon browser to connect, not IE.

    So, it could be some possible setting in Maxthon which I have to figure out how to disable.

    Thanks for your help!

    P.S: I believe I gave you the wrong URL. I visited that geocities site long after I visited the site that "infected" me. It was some other site.
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Ahh...well at least it sounds like you're closer to the cause now. :)

    The thought of it being a possible plugin with your Maxthon browser crossed my mind, but I am not familiar with that browser at all.

    Please do post back and let us know what you've been able to find out, and hopefully other members here will be able to add some thoughts too.

    Regards,

    snap
     
  7. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Heh, nevermind. Looks like IE is connecting too.
     
Loading...
Thread Status:
Not open for further replies.