Link to home
Start Free TrialLog in
Avatar of ntijones
ntijones

asked on

Computer trys to access 68.142.234.*

We have XP computers trying to access 68.142.234.* and Symantec, AdWare and SpyBot does not catch anything. Any ideas?
ASKER CERTIFIED SOLUTION
Avatar of David-Howard
David-Howard

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
How did you find this out?  Through the netstat command?  Which ports are being used (both on your end and on the other end)?
Avatar of r-k
r-k

Try the "netstat -ab" command at a command prompt to see which programs have which connections open.
I was thinking along the same lines as r-k.  Although I was thinking of sysinternals tools, probably tdi-mon.  But that's just off the top of my head.

That network block belongs to Inktomi, a search engine company.  probably some browser toolbar reporting back or checking for updates.
Yes, all the sysinternals tools are highly recommend. In addition to TDImon, also see TCPview:

 http://www.sysinternals.com/Utilities/TcpView.html
That IP block belongs to Inktomi...see here:  http://www.dnsstuff.com/tools/whois.ch?ip=68.142.234.1

Inktomi is a huge search provider for things like MSN, Yahoo, Hotbot, etc.

It's probably something like an IE toolbar add-on from one of the major players like Yahoo or similar that's causing the traffic.
oops...sorry boywaja, I should read better...
Avatar of ntijones

ASKER

http://www.hijackthis.de/logfiles/c8840a857fdea431c42762f6ab9d9e48.html
http://www.hijackthis.de/logfiles/5a11af108e5aca6433511716e0fdc6df.html

The computer trys to access 68.142.234.* at computer startup. You do not have to start a browser.
Safe mode and normal mode logs are attached.  All temp files and cookies have been cleared.  Msconfig has been reduced to minimun.

This is also seenin the firewall log.  A portion is below:
 4/12/2006

 9:19    Deny tcp src      inside:10.163.25.144/1049 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1049 dst outside:68.142.234.45/80 by access-group "inside"

 9:19    Deny tcp src      inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"

 9:19    Deny tcp src      inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"

Netstat log:
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    LCB021:epmap           LCB021.lcb2010.landmark.net:0  LISTENING       948
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    LCB021:microsoft-ds    LCB021.lcb2010.landmark.net:0  LISTENING       4
  [System]

  TCP    LCB021:1025            LCB021.lcb2010.landmark.net:0  LISTENING       1396
  [LEXPPS.EXE]

  TCP    LCB021:3389            LCB021.lcb2010.landmark.net:0  LISTENING       888
  -- unknown component(s) --
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  [svchost.exe]

  TCP    LCB021:netbios-ssn     LCB021.lcb2010.landmark.net:0  LISTENING       4
  [System]

  TCP    LCB021:1049            LCB021.lcb2010.landmark.net:0  LISTENING       516
  [alg.exe]

  TCP    LCB021:1361            LCB021.lcb2010.landmark.net:0  LISTENING       2216
  [ccApp.exe]

  UDP    LCB021:1027            *:*                                    1080
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    LCB021:isakmp          *:*                                    736
  [lsass.exe]

  UDP    LCB021:1039            *:*                                    1776
  [SavRoam.exe]

  UDP    LCB021:1026            *:*                                    1080
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    LCB021:microsoft-ds    *:*                                    4
  [System]

  UDP    LCB021:2967            *:*                                    1880
  [Rtvscan.exe]

  UDP    LCB021:4500            *:*                                    736
  [lsass.exe]

  UDP    LCB021:netbios-dgm     *:*                                    4
  [System]

  UDP    LCB021:1900            *:*                                    1136
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    LCB021:ntp             *:*                                    1012
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    LCB021:netbios-ns      *:*                                    4
  [System]

  UDP    LCB021:1028            *:*                                    736
  [lsass.exe]

  UDP    LCB021:ntp             *:*                                    1012
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    LCB021:1043            *:*                                    680
  [winlogon.exe]

  UDP    LCB021:1900            *:*                                    1136
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]