Possible Trojan?

Okay, I was busy browsing today on my newly downloaded browser "Maxthon".


I was searching for plugins and came across some geocities site describing the "neat features" of Maxthon (MYIE2).


When I was on that site, my Norton Personal Firewall 2003 prompted that Maxton was trying to access (geocities, 66.218.77.68 on port 80)


I disallowed access.

I then went to play around with a .NET program I had made (It was a game of Jeopardy). When I was playing it, my NPF reported that Jeopardy was trying to access (geocities, 66.218.77.68 on port 80).

I denied access to that.

I scanned my computer with NAV2003, Bit Defender Online Scanner, adawareSE, and bazzoka. All programs came clean.

Nothing else has happened, although, everytime I rebuild and run that program, the program sometimes wants to connect to that IP address and I have to deny access everytime.

What trojan/virus is this and if there isn't one, how do I fix this problem?

Recap, the IP address the programs connect to is:
(geocities, 66.218.77.68 on port 80)

 

Hi mVPstar, and welcome to Wilders.

That netblock belongs to Yahoo.

-----
OrgName: Yahoo!
OrgID: YAOO
Address: 701 First Avenue
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: 66.218.64.0 - 66.218.95.255
CIDR: 66.218.64.0/19
NetName: A-YAHOO-U23
NetHandle: NET-66-218-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-15
Updated: 2002-06-27

TechHandle: NA258-ARIN
TechName: Netblock Admin
TechPhone: +1-408-349-3300
TechEmail: netblockadmin@yahoo-inc.com

OrgTechHandle: NA258-ARIN
OrgTechName: Netblock Admin
OrgTechPhone: +1-408-349-3300
OrgTechEmail: netblockadmin@yahoo-inc.com
-------

Do you have yahoo messenger/pager installed or running?

I do not use Norton Personal Firewall myself, but this may be something you can check in it's settings. Hopefully someone that uses NPF and/or yahoo will be able to add more. (If it does turn out to be firewall settings, then I'll move this thread over into the "Other Firewall Forum" )

Regards,

snap

 

What's interesting is, I used a program called ipnetinfo to resolve an IP address. When I type www.geocities.com , I get that IP address: 66.218.77.68 and then the program goes on about how it's Yahoo's reserved block..

Anyways, whether it's yahoo's or geocities, there's still probably something on my computer and nothing appears to detect it. For now, I created a block all rule for connections to that IP address.

I can't quite remember what site I went to, but it was some geocities site that was talking about MyIE2 (Maxthon) and how good it was.. Then suddenly NPF says something about the program trying to connect to geocities.

What could it be?


EDIT: Found the site: hxxp://www.geocities.com/hhstrumpet/tv.html"]http://www.geocities.com/hhstrumpet/tv.html

 

Just did a google search on that site and it looks to be a MIDI Collection site.
http://www.google.ca/search?hl=en&q=hhstrumpet/tv.html&btnG=Google Search&meta=

I'm not much help I'm afraid, mVPstar.

You could go through some of the steps in our General Cleaning Guide and see if that helps. Or try scanning with your antivirus while in Safe Mode and disconnected from the internet.

Edit to add - You can also scan with your anti-spyware programs while in safe mode too.

Regards,

snap

 

Hmm, I think I've narrowed down the possible infection.

It seems that when I installed Maxthon, it automatically became the default browser, even though it shouldn't have. So whenever I used my .NET Jeopardy game , when it accesses the internet to collect its data, it uses the Maxthon browser to connect, not IE.

So, it could be some possible setting in Maxthon which I have to figure out how to disable.

Thanks for your help!

P.S: I believe I gave you the wrong URL. I visited that geocities site long after I visited the site that "infected" me. It was some other site.

 

Ahh...well at least it sounds like you're closer to the cause now.

The thought of it being a possible plugin with your Maxthon browser crossed my mind, but I am not familiar with that browser at all.

Please do post back and let us know what you've been able to find out, and hopefully other members here will be able to add some thoughts too.

Regards,

snap

 

Heh, nevermind. Looks like IE is connecting too.