ntijones
asked on
Computer trys to access 68.142.234.*
We have XP computers trying to access 68.142.234.* and Symantec, AdWare and SpyBot does not catch anything. Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How did you find this out? Through the netstat command? Which ports are being used (both on your end and on the other end)?
Try the "netstat -ab" command at a command prompt to see which programs have which connections open.
I was thinking along the same lines as r-k. Although I was thinking of sysinternals tools, probably tdi-mon. But that's just off the top of my head.
That network block belongs to Inktomi, a search engine company. probably some browser toolbar reporting back or checking for updates.
That network block belongs to Inktomi, a search engine company. probably some browser toolbar reporting back or checking for updates.
Yes, all the sysinternals tools are highly recommend. In addition to TDImon, also see TCPview:
http://www.sysinternals.com/Utilities/TcpView.html
http://www.sysinternals.com/Utilities/TcpView.html
That IP block belongs to Inktomi...see here: http://www.dnsstuff.com/tools/whois.ch?ip=68.142.234.1
Inktomi is a huge search provider for things like MSN, Yahoo, Hotbot, etc.
It's probably something like an IE toolbar add-on from one of the major players like Yahoo or similar that's causing the traffic.
Inktomi is a huge search provider for things like MSN, Yahoo, Hotbot, etc.
It's probably something like an IE toolbar add-on from one of the major players like Yahoo or similar that's causing the traffic.
oops...sorry boywaja, I should read better...
ASKER
http://www.hijackthis.de/logfiles/c8840a857fdea431c42762f6ab9d9e48.html
http://www.hijackthis.de/logfiles/5a11af108e5aca6433511716e0fdc6df.html
The computer trys to access 68.142.234.* at computer startup. You do not have to start a browser.
Safe mode and normal mode logs are attached. All temp files and cookies have been cleared. Msconfig has been reduced to minimun.
This is also seenin the firewall log. A portion is below:
4/12/2006
9:19 Deny tcp src inside:10.163.25.144/1049 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1049 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
Netstat log:
Active Connections
Proto Local Address Foreign Address State PID
TCP LCB021:epmap LCB021.lcb2010.landmark.ne t:0 LISTENING 948
c:\windows\system32\WS2_32 .dll
C:\WINDOWS\system32\RPCRT4 .dll
c:\windows\system32\rpcss. dll
C:\WINDOWS\system32\svchos t.exe
-- unknown component(s) --
[svchost.exe]
TCP LCB021:microsoft-ds LCB021.lcb2010.landmark.ne t:0 LISTENING 4
[System]
TCP LCB021:1025 LCB021.lcb2010.landmark.ne t:0 LISTENING 1396
[LEXPPS.EXE]
TCP LCB021:3389 LCB021.lcb2010.landmark.ne t:0 LISTENING 888
-- unknown component(s) --
c:\windows\system32\rpcss. dll
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\ADVAPI 32.dll
[svchost.exe]
TCP LCB021:netbios-ssn LCB021.lcb2010.landmark.ne t:0 LISTENING 4
[System]
TCP LCB021:1049 LCB021.lcb2010.landmark.ne t:0 LISTENING 516
[alg.exe]
TCP LCB021:1361 LCB021.lcb2010.landmark.ne t:0 LISTENING 2216
[ccApp.exe]
UDP LCB021:1027 *:* 1080
C:\WINDOWS\system32\mswsoc k.dll
c:\windows\system32\WS2_32 .dll
c:\windows\system32\DNSAPI .dll
c:\windows\system32\dnsrsl vr.dll
C:\WINDOWS\system32\RPCRT4 .dll
[svchost.exe]
UDP LCB021:isakmp *:* 736
[lsass.exe]
UDP LCB021:1039 *:* 1776
[SavRoam.exe]
UDP LCB021:1026 *:* 1080
C:\WINDOWS\system32\mswsoc k.dll
c:\windows\system32\WS2_32 .dll
c:\windows\system32\DNSAPI .dll
c:\windows\system32\dnsrsl vr.dll
C:\WINDOWS\system32\RPCRT4 .dll
[svchost.exe]
UDP LCB021:microsoft-ds *:* 4
[System]
UDP LCB021:2967 *:* 1880
[Rtvscan.exe]
UDP LCB021:4500 *:* 736
[lsass.exe]
UDP LCB021:netbios-dgm *:* 4
[System]
UDP LCB021:1900 *:* 1136
c:\windows\system32\WS2_32 .dll
c:\windows\system32\ssdpsr v.dll
C:\WINDOWS\system32\ADVAPI 32.dll
C:\WINDOWS\system32\kernel 32.dll
[svchost.exe]
UDP LCB021:ntp *:* 1012
c:\windows\system32\WS2_32 .dll
c:\windows\system32\w32tim e.dll
ntdll.dll
C:\WINDOWS\system32\kernel 32.dll
[svchost.exe]
UDP LCB021:netbios-ns *:* 4
[System]
UDP LCB021:1028 *:* 736
[lsass.exe]
UDP LCB021:ntp *:* 1012
c:\windows\system32\WS2_32 .dll
c:\windows\system32\w32tim e.dll
ntdll.dll
C:\WINDOWS\system32\kernel 32.dll
[svchost.exe]
UDP LCB021:1043 *:* 680
[winlogon.exe]
UDP LCB021:1900 *:* 1136
c:\windows\system32\WS2_32 .dll
c:\windows\system32\ssdpsr v.dll
C:\WINDOWS\system32\ADVAPI 32.dll
C:\WINDOWS\system32\kernel 32.dll
[svchost.exe]
http://www.hijackthis.de/logfiles/5a11af108e5aca6433511716e0fdc6df.html
The computer trys to access 68.142.234.* at computer startup. You do not have to start a browser.
Safe mode and normal mode logs are attached. All temp files and cookies have been cleared. Msconfig has been reduced to minimun.
This is also seenin the firewall log. A portion is below:
4/12/2006
9:19 Deny tcp src inside:10.163.25.144/1049 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1049 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1057 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
9:19 Deny tcp src inside:10.163.25.144/1062 dst outside:68.142.234.45/80 by access-group "inside"
Netstat log:
Active Connections
Proto Local Address Foreign Address State PID
TCP LCB021:epmap LCB021.lcb2010.landmark.ne
c:\windows\system32\WS2_32
C:\WINDOWS\system32\RPCRT4
c:\windows\system32\rpcss.
C:\WINDOWS\system32\svchos
-- unknown component(s) --
[svchost.exe]
TCP LCB021:microsoft-ds LCB021.lcb2010.landmark.ne
[System]
TCP LCB021:1025 LCB021.lcb2010.landmark.ne
[LEXPPS.EXE]
TCP LCB021:3389 LCB021.lcb2010.landmark.ne
-- unknown component(s) --
c:\windows\system32\rpcss.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\ADVAPI
[svchost.exe]
TCP LCB021:netbios-ssn LCB021.lcb2010.landmark.ne
[System]
TCP LCB021:1049 LCB021.lcb2010.landmark.ne
[alg.exe]
TCP LCB021:1361 LCB021.lcb2010.landmark.ne
[ccApp.exe]
UDP LCB021:1027 *:* 1080
C:\WINDOWS\system32\mswsoc
c:\windows\system32\WS2_32
c:\windows\system32\DNSAPI
c:\windows\system32\dnsrsl
C:\WINDOWS\system32\RPCRT4
[svchost.exe]
UDP LCB021:isakmp *:* 736
[lsass.exe]
UDP LCB021:1039 *:* 1776
[SavRoam.exe]
UDP LCB021:1026 *:* 1080
C:\WINDOWS\system32\mswsoc
c:\windows\system32\WS2_32
c:\windows\system32\DNSAPI
c:\windows\system32\dnsrsl
C:\WINDOWS\system32\RPCRT4
[svchost.exe]
UDP LCB021:microsoft-ds *:* 4
[System]
UDP LCB021:2967 *:* 1880
[Rtvscan.exe]
UDP LCB021:4500 *:* 736
[lsass.exe]
UDP LCB021:netbios-dgm *:* 4
[System]
UDP LCB021:1900 *:* 1136
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP LCB021:ntp *:* 1012
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP LCB021:netbios-ns *:* 4
[System]
UDP LCB021:1028 *:* 736
[lsass.exe]
UDP LCB021:ntp *:* 1012
c:\windows\system32\WS2_32
c:\windows\system32\w32tim
ntdll.dll
C:\WINDOWS\system32\kernel
[svchost.exe]
UDP LCB021:1043 *:* 680
[winlogon.exe]
UDP LCB021:1900 *:* 1136
c:\windows\system32\WS2_32
c:\windows\system32\ssdpsr
C:\WINDOWS\system32\ADVAPI
C:\WINDOWS\system32\kernel
[svchost.exe]