An app is trying to get unauthorized access to the net......

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

A friend of mine openned an email from which had a virus attached to
it. After doing a complete virus scan, trojan scan and a reboot, I
did a "netstat -a" to check and see if I had anything suspicious
attempting connections to the net or vice-versa, here's a part of what
it spit out:

TCP inspiron:1049 www.milfseeker.com:1041 TIME_WAIT
TCP inspiron:1051 www.milfseeker.com:1041 TIME_WAIT

The reason why it is now in time_wait state is because I blocked that
URL with my firewall after seeing the URL in the netstat. I am trying
to figure out what application is launching this connection attempt.
My firewall does not detect a new app attempting to access the net
which makes me think the virus has piggy backed itself to an
authorized application. I've done several reboots and after I do a
netstat, the connection attempts are still being done. Any insite
will be appreciated. Thanx.

BTW, milfseeker.com is a porn site.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Boll Weevil <dryer@maytag.com> wrote in
news:mvgd709l18o09bambgkhhu0c2ipe36m64h@4ax.com:

> A friend of mine openned an email from which had a virus attached to
> it. After doing a complete virus scan, trojan scan and a reboot, I
> did a "netstat -a" to check and see if I had anything suspicious
> attempting connections to the net or vice-versa, here's a part of what
> it spit out:
>
> TCP inspiron:1049 www.milfseeker.com:1041 TIME_WAIT
> TCP inspiron:1051 www.milfseeker.com:1041 TIME_WAIT
>
> The reason why it is now in time_wait state is because I blocked that
> URL with my firewall after seeing the URL in the netstat. I am trying
> to figure out what application is launching this connection attempt.
> My firewall does not detect a new app attempting to access the net
> which makes me think the virus has piggy backed itself to an
> authorized application. I've done several reboots and after I do a
> netstat, the connection attempts are still being done. Any insite
> will be appreciated. Thanx.
>
> BTW, milfseeker.com is a porn site.
>

http://www.isi.edu/atomic2/pcbswap.html

I think that whatever spyware or Trojan etc., etc. is on your machine has
beaten Sygate to the punch at boot up and has sent its data and the close
the port sequence has been interrupted by Sygate as it finally gets there
on the TCP/IP connection.

You can see my response and possible tools that can be used in finding the
culprit at the *Svchost Exploit on Ports 80, 443 & 21* thread in this NG.

You should place a short-cut to Active Ports in the Start-up folder with
display resloution at *High*. It should give you a clear picture if Sygate
is getting beaten to the punch.

After you have gotten things cleaned up, you can use the Host as a
prvention measure.

http://www.mvps.org/winhelp2002/hosts.htm
http://www.snapfiles.com/get/hoststoggle.html

The blocking of ads and all that stuff is cool. But what the local HOST
file is about is stopping the O/S's ability to come up with the IP to
access www.milfseeker.com that the offending program is requesting. If
www.milfseeker.com in the HOST file with 127.0.0.1, it cannot make contact
with the site. If it is not in the HOST file, then the O/S is going to go
to the ISP's DNS and get the correct IP and the program will be able to
make contact.

Duane :)
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

> Well, I've found what's starting the access attemps..................
> Outlook. Everytime I start Outlook, there are connection attempts to
> that website. What do I use to clean Outlook?

You can install AD-Aware and Spybot both are free and scan with both
utilities to see if that cleans out the system.



If that doesn't work, then you install Process Explore. With Outlook hanging
on the TIME_WAIT, you can use PE and go to Outlook and see what process are
using Outlook at the time it is running by going to the yellow wheel icon
that shows the dll(s) programs along with other programs that are using OE
at the time of processing.



You can place the mouse on each dll or other types program and it will show
the directory that it's running out of.



Legit directories are C:\Windows\system32 (for XP) or C:\winnt\system32 (for
Win2k and NT) where programs can be running out of for the O/S, but that's
no guarantee that a program is legit.



So, you'll have to take each program and do a search on Google and come back
with some info about the program. If the search doesn't come back with a
hit, then you should be questioning what it is.



But maybe you'll spot it right off the top. <g>



You may have to clean it out of the registry as well.



HTH

Duane :)
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom