Tom's Hardware: Topic Suspiciouis IP message at start...trace?
Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions.
Sign up now! Its free!
Archived from groups: comp.security.firewalls (More info?)
"dontb" <dontb@yahoo.com> wrote in news:gvVHc.65072$rh.27271@okepread02:
> I get a unknown IP message sent each time I start my computer.
> Is there an application or some way that will allow me to associate
> the program on my computer with the momentary IP message sent from my
> computer at startup?
>
> Background/configuration:
> XP, Linksys Router
> Wallwatcher: I use Wallwatcher to monitor all IP activity at my
> Linksys router.
> Kerio Firewall: I also use Kerio firewall to block this IP each time,
> but at every startup a new IP message is sent from my computer.
> Each time I add the new IP address to the Firewall block, a new one is
> sent at the next startup.
Malware can beat any PFW solution at system boot because the PFW solution
is not an intergrated O/S component that can get to the TCP/IP connection
at boot before the malware can. However, XP's SP2 FW is able to get to
get to the TCP/IP at boot and stop outbound, because it's an intergrated
O/S component.
> I have used Spybot to cleanse and also Norton scan every day.
Obvisouly, they can be beaten as they are a dime short and a dollar late
with the protection.
>
> TCP View/Process Explore: I have used TCP View and Process Explore
> but I dont see how those help me track this momentary message.
>
> Is there an application or some way that will allow me to associate
> the program on my computer with the momentary IP message sent from my
> computer at startup?
>
> Any thoughts appreciated.
>
>
>
You can use Active Ports which I put a short-cut for Active Ports in the
Start folder so that I can get a clear picture as to what's happening at
the system boot and logon process with connections. You can set Active
Ports screen Refresh rate to High. If connections are being made at the
boot and logon process, you should be able to see it with AP.
I also use Process Explorer to look at running processes and PE can look
inside a running process to see what programs/processes are using the
process. You see it's not always the process that's running that wants
the access and is being used as a host so that the real culprit that
wants the access can get out.
I suggest that you find some documentation using Google on the features
of PE and how to use them as PE is one powerful piece of software that
can be used to point an exploit running on the machine.
<http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
d_Rootkit_Tools_in_a_Windows_Environment.html>
Of course any O/S componemt such as Svchost.exe or Dllhost.exe, etc, etc
that's not running out of the System32 directory is a Trojan.
Duane 
Archived from groups: comp.security.firewalls (More info?)
"dontb" <dontb@yahoo.com> wrote in news:Yx%Hc.66196$rh.43897@okepread02:
> Now this is getting strange....
>
> I figured out how to put a address range block in the firewall and I
> blocked the range of addressess assigned to the Amsterdam server.
> 80.0.0.0 - 80.255.255.255.
>
> The firewall is set to flag announce attempts in this range. Now
> here is the interesting part.
>
> When I open a received email in Outlook, I get IP sends (that are now
> blocked) to addresses in that range. Not all the emails...just some.
>
> I just have the email open. Im not even composing. the IP data is:
> Outlook, 80.67.66.70. port 80, TCP, local port 1970.
>
> What do you make of that? Sounds very weird to me.
>
> thanks for any inputs
Well, while you have one of the emails open that you're concerned about,
you could start Process Explorer and go to View enable Show Lower Pane
and Lower Pane View/Dll.
You can click on the Outlook.exe and it will show you all the Dll
(s)/programs etc that are running with Outlook at that time. You can look
at what's running with Outlook with a problem email as opposed to one
you're not having problems to see if you can spot something.
You can click on a dll and it will tell you what directory it's running
out of and you can right-click it and go to Properties. You can also do
the same thing in the upper pane with any program.
My advice is that you find out what's doing it as it is not Outlook that
wants the contact. Outlook is only the host and the *messenger*.
Duane
Please mind
You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.
Sponsored links
Ad
Related Topics
- sygate message about kernell32.dll
- Kerio 2.1.5 error message
- Help identify this firewall message
- Warning Message: "Warning! Insufficient bandwidth."
- "The parameter is incorrect" error message when accessing ..
- Error message in Base Management tool
- Error message 721
- error message
- Broadband message not understood
They won a badge
Join us in greeting them
- 01:00 underrated won the Freshman badge
- 01:00 caloypogi won the Freshman badge
- 01:00 aleksa2009 won the Freshman badge
- 01:00 Gesp won the Uniformed badge
- 01:00 elementality799 won the Uniformed badge
- 01:00 ekoostik won the Spy badge
- 03:12 Marcus Yam won the Sophmore badge
- 01:00 simple_inhibition won the Freshman badge
- 01:00 matrix311 won the Freshman badge
- 01:00 C0BRA won the Freshman badge