[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 206
  • Last Modified:

Computer trys to access 68.142.234.*

We have XP computers trying to access 68.142.234.* and Symantec, AdWare and SpyBot does not catch anything. Any ideas?
0
ntijones
Asked:
ntijones
1 Solution
 
David-HowardCommented:
Can you give us more information? Are these pc's directed to the IP you listed when they launch their browsers?
If so have you cleared the IE Temp files and ran HiJackThis in Safe Mode?
HiJackThis: (Scroll to about mid page) http://www.spywareinfo.com/~merijn/
Post the log file here for free analysis: http://www.hijackthis.de/
Check the Startup tab as well and remove entries that obviously do not belong.
Start>Run>Msconfig>Startup
0
 
JohnK813Commented:
How did you find this out?  Through the netstat command?  Which ports are being used (both on your end and on the other end)?
0
 
r-kCommented:
Try the "netstat -ab" command at a command prompt to see which programs have which connections open.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
boywajaCommented:
I was thinking along the same lines as r-k.  Although I was thinking of sysinternals tools, probably tdi-mon.  But that's just off the top of my head.

That network block belongs to Inktomi, a search engine company.  probably some browser toolbar reporting back or checking for updates.
0
 
r-kCommented:
Yes, all the sysinternals tools are highly recommend. In addition to TDImon, also see TCPview:

 http://www.sysinternals.com/Utilities/TcpView.html
0
 
TheCleanerCommented:
That IP block belongs to Inktomi...see here:  http://www.dnsstuff.com/tools/whois.ch?ip=68.142.234.1

Inktomi is a huge search provider for things like MSN, Yahoo, Hotbot, etc.

It's probably something like an IE toolbar add-on from one of the major players like Yahoo or similar that's causing the traffic.
0
 
TheCleanerCommented:
oops...sorry boywaja, I should read better...
0
 
ntijonesAuthor Commented:
http://www.hijackthis.de/logfiles/c8840a857fdea431c42762f6ab9d9e48.html
http://www.hijackthis.de/logfiles/5a11af108e5aca6433511716e0fdc6df.html

The computer trys to access 68.142.234.* at computer startup. You do not have to start a browser.
Safe mode and normal mode logs are attached.  All temp files and cookies have been cleared.  Msconfig has been reduced to minimun.

This is also seenin the firewall log.  A portion is below:
 4/12/2006

 9:19    Deny tcp src      inside:10.163.25.144/1049 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1049 dst outside:68.142.234.45/80 by access-group "inside"

 9:19    Deny tcp src      inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"

 9:19    Deny tcp src      inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
 9:19    Deny tcp src      inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"

Netstat log:
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    LCB021:epmap           LCB021.lcb2010.landmark.net:0  LISTENING       948
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    LCB021:microsoft-ds    LCB021.lcb2010.landmark.net:0  LISTENING       4
  [System]

  TCP    LCB021:1025            LCB021.lcb2010.landmark.net:0  LISTENING       1396
  [LEXPPS.EXE]

  TCP    LCB021:3389            LCB021.lcb2010.landmark.net:0  LISTENING       888
  -- unknown component(s) --
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  [svchost.exe]

  TCP    LCB021:netbios-ssn     LCB021.lcb2010.landmark.net:0  LISTENING       4
  [System]

  TCP    LCB021:1049            LCB021.lcb2010.landmark.net:0  LISTENING       516
  [alg.exe]

  TCP    LCB021:1361            LCB021.lcb2010.landmark.net:0  LISTENING       2216
  [ccApp.exe]

  UDP    LCB021:1027            *:*                                    1080
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    LCB021:isakmp          *:*                                    736
  [lsass.exe]

  UDP    LCB021:1039            *:*                                    1776
  [SavRoam.exe]

  UDP    LCB021:1026            *:*                                    1080
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    LCB021:microsoft-ds    *:*                                    4
  [System]

  UDP    LCB021:2967            *:*                                    1880
  [Rtvscan.exe]

  UDP    LCB021:4500            *:*                                    736
  [lsass.exe]

  UDP    LCB021:netbios-dgm     *:*                                    4
  [System]

  UDP    LCB021:1900            *:*                                    1136
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    LCB021:ntp             *:*                                    1012
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    LCB021:netbios-ns      *:*                                    4
  [System]

  UDP    LCB021:1028            *:*                                    736
  [lsass.exe]

  UDP    LCB021:ntp             *:*                                    1012
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    LCB021:1043            *:*                                    680
  [winlogon.exe]

  UDP    LCB021:1900            *:*                                    1136
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now