Hy, I have ad-aware and SpyBot installed, and I updated them regulary. But i
keep getting messages that IE is trying to connect to 66.118.169.xxx. X-es
are different 7, 11, 10... Can somebody help me this is annoying, it's
happening every minute or so.
Tnx, and sorry if my english is bad. I'm from a non english speaking region.
Albert_Hall (dcosic@net.hr) wrote:
: Hy, I have ad-aware and SpyBot installed, and I updated them regulary.
: But i keep getting messages that IE is trying to connect to 66.118.169.xxx.
: X-es are different 7, 11, 10... Can somebody help me this is annoying,
: it's happening every minute or so.
: Tnx, and sorry if my english is bad.
It's quite good.
: I'm from a non english speaking region.
:
The following is from an IPWHOIS lookup using www.dnsstuff.com:
http://www.dnsstuff.com/
DNS Stuff: DNS tools, WHOIS, tracert, ping, and other network tools.
"WHOIS results for !NET-66-118-169-0-1
Generated by www.DNSstuff.com
Country: Unknown
Looking up !NET-66-118-169-0-1 at whois.arin.net.
NOTE: More information appears to be available at ZS203-ARIN.
Using cached answer (or, you can get fresh results).
CustName: Sago Networks Hosting
Address: 4465 West Gandy Boulevard Suite 800
City: Tampa
StateProv: FL
PostalCode: 33611
Country: US
RegDate: 2003-09-29
Updated: 2003-09-29
NetRange: 66.118.169.0 - 66.118.169.255
CIDR: 66.118.169.0/24
NetName: SAGO-66-118-169-0
NetHandle: NET-66-118-169-0-1
Parent: NET-66-118-128-0-1
NetType: Reassigned
Comment:
RegDate: 2003-09-29
Updated: 2003-09-29
AbuseHandle: ABUSE32-ARIN
AbuseName: Abuse Team
AbusePhone: +1-866-510-4000
AbuseEmail: abuse@sagonet.com
TechHandle: ZS203-ARIN
TechName: Sago Networks
TechPhone: +1-866-510-4000
TechEmail: ipadmin@sagonet.com
OrgTechHandle: TECHN20-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-866-510-4000
OrgTechEmail: support@sagonet.com..."
HTH (hope that helps),
--Jerry Leslie
Note: leslie@jrlvax.houston.rr.com is invalid for email
Thnx. I've configured my firewall to block all traffic to and from these
ip's.
But there is still that spyware on my HDD, that i can't find. If you have an
idea how to track down that file and kill it, I would be gratefull.
"leslie" <LESLIE@JRLVAX.HOUSTON.RR.COM> wrote in message
news:Itleb.6$xH1.4@twister.austin.rr.com...
> Albert_Hall (dcosic@net.hr) wrote:
> : Hy, I have ad-aware and SpyBot installed, and I updated them regulary.
> : But i keep getting messages that IE is trying to connect to
66.118.169.xxx.
> : X-es are different 7, 11, 10... Can somebody help me this is annoying,
> : it's happening every minute or so.
> : Tnx, and sorry if my english is bad.
>
> It's quite good.
>
> : I'm from a non english speaking region.
> :
>
> The following is from an IPWHOIS lookup using www.dnsstuff.com:
>
> http://www.dnsstuff.com/
> DNS Stuff: DNS tools, WHOIS, tracert, ping, and other network tools.
>
>
> "WHOIS results for !NET-66-118-169-0-1
>
> Generated by www.DNSstuff.com
>
> Country: Unknown
>
> Looking up !NET-66-118-169-0-1 at whois.arin.net.
>
> NOTE: More information appears to be available at ZS203-ARIN.
>
> Using cached answer (or, you can get fresh results).
>
>
> CustName: Sago Networks Hosting
> Address: 4465 West Gandy Boulevard Suite 800
> City: Tampa
> StateProv: FL
> PostalCode: 33611
> Country: US
> RegDate: 2003-09-29
> Updated: 2003-09-29
>
> NetRange: 66.118.169.0 - 66.118.169.255
> CIDR: 66.118.169.0/24
> NetName: SAGO-66-118-169-0
> NetHandle: NET-66-118-169-0-1
> Parent: NET-66-118-128-0-1
> NetType: Reassigned
> Comment:
> RegDate: 2003-09-29
> Updated: 2003-09-29
>
> AbuseHandle: ABUSE32-ARIN
> AbuseName: Abuse Team
> AbusePhone: +1-866-510-4000
> AbuseEmail: abuse@sagonet.com
>
> TechHandle: ZS203-ARIN
> TechName: Sago Networks
> TechPhone: +1-866-510-4000
> TechEmail: ipadmin@sagonet.com
>
> OrgTechHandle: TECHN20-ARIN
> OrgTechName: Technical Support
> OrgTechPhone: +1-866-510-4000
> OrgTechEmail: support@sagonet.com..."
>
> HTH (hope that helps),
>
> --Jerry Leslie
> Note: leslie@jrlvax.houston.rr.com is invalid for email
Maybe it is something you leave loaded on your machine that is phoning
home, like for updates.
Ad-aware and SpyBot scan for known spyware. They do not scan for
trojans that might run zombies on your computer (to send data off your
system to elsewhere or to partake in a concerted denial of service
attack). Have you ran a FULL scan using an just-updated copy of your
anti-virus software?
Is IE open at the time that your firewall reports this connect attempt?
Have you check which BHOs (browser helper objects) you have installed in
IE? Do a Google search on "BHO Demon" to see what BHOs you have.
Have you tried using msconfig.exe or Mike Lin's Startup applet to
disable all programs that load on Windows startup, restarted, and see if
the ghost connects still occur? If not, you're loading something on
Windows startup that does this.
Got anything in Task Scheduler that would need a network connection to
run?
--
__________________________________________________ __________
** Share with others. Post replies in the newsgroup.
** If present, remove all "-NIX" from my email address.
__________________________________________________ __________
"Albert_Hall" <dcosic@net.hr> wrote in message
news:blci3f$tcf$1@bagan.srce.hr...
> Hy, I have ad-aware and SpyBot installed, and I updated them regulary.
But i
> keep getting messages that IE is trying to connect to 66.118.169.xxx.
X-es
> are different 7, 11, 10... Can somebody help me this is annoying, it's
> happening every minute or so.
> Tnx, and sorry if my english is bad. I'm from a non english speaking
region.
>
>
>
Think I've found it, I believe that the problem was in the file tmksrvl.exe.
I've deleted it, and now I'm gonna see.
"Vanguard" <rztqf6v02-NIX@sneakemail-NIX.com> wrote in message
news:76Heb.650013$Ho3.135130@sccrnsc03...
> Maybe it is something you leave loaded on your machine that is phoning
> home, like for updates.
>
> Ad-aware and SpyBot scan for known spyware. They do not scan for
> trojans that might run zombies on your computer (to send data off your
> system to elsewhere or to partake in a concerted denial of service
> attack). Have you ran a FULL scan using an just-updated copy of your
> anti-virus software?
>
> Is IE open at the time that your firewall reports this connect attempt?
> Have you check which BHOs (browser helper objects) you have installed in
> IE? Do a Google search on "BHO Demon" to see what BHOs you have.
>
> Have you tried using msconfig.exe or Mike Lin's Startup applet to
> disable all programs that load on Windows startup, restarted, and see if
> the ghost connects still occur? If not, you're loading something on
> Windows startup that does this.
>
> Got anything in Task Scheduler that would need a network connection to
> run?
>
>
> --
> __________________________________________________ __________
> ** Share with others. Post replies in the newsgroup.
> ** If present, remove all "-NIX" from my email address.
> __________________________________________________ __________
>
>
> "Albert_Hall" <dcosic@net.hr> wrote in message
> news:blci3f$tcf$1@bagan.srce.hr...
> > Hy, I have ad-aware and SpyBot installed, and I updated them regulary.
> But i
> > keep getting messages that IE is trying to connect to 66.118.169.xxx.
> X-es
> > are different 7, 11, 10... Can somebody help me this is annoying, it's
> > happening every minute or so.
> > Tnx, and sorry if my english is bad. I'm from a non english speaking
> region.
> >
> >
> >
>
>
I was wrond, the problem is still present, don't know what to do???
So, what ELSE have *you* done?
- Have you ran a FULL scan with a recently updated anti-virus program?
- Have you used BHO Demon to see what BHOs are installed in IE?
- Have you used msconfig.exe or Mike Lin's Startup applet to disable
startup programs, reboot, and check if the problem continues?
- Have you disabled all non-critical NT services?
- Have you booted into Safe mode (with networking)?
- If you disable the rules you defined to block the connection, does
your firewall popup an alert saying what program is trying to make an
outbound connection (and let you select to block, permit, or manual
configure a rule for it)? If so, that might itself identify the culprit
program. If it is svchost.exe then an NT service is making the
connection, so you need to stop all non-critical NT services and restart
them one by one to see which one attempts the connection.
- SysInternal's TCPview (free) might indicate who owns the local port
through which the communication is moving.
- Use Task Manager to see what processes are running. Then go hunting
for those executables to see where they are. Right-click on them and
look under the Version tab to see if there is any identifying
information as to its maker and its use.
--
__________________________________________________ __________
"Albert_Hall" <dcosic@net.hr> wrote in message
news:blm4ou$4ll$1@bagan.srce.hr...
> I was wrond, the problem is still present, don't know what to do???
>
>
Did all that except nt services. Firewall says that IE is trying to connect
to that IP's. Gonna try the services part. Thanx
"Vanguard" <no-email@post-reply-in-newsgroup.nix> wrote in message
news:Q2Bfb.36209$%h1.24415@sccrnsc02...
> So, what ELSE have *you* done?
>
> - Have you ran a FULL scan with a recently updated anti-virus program?
>
> - Have you used BHO Demon to see what BHOs are installed in IE?
>
> - Have you used msconfig.exe or Mike Lin's Startup applet to disable
> startup programs, reboot, and check if the problem continues?
>
> - Have you disabled all non-critical NT services?
>
> - Have you booted into Safe mode (with networking)?
>
> - If you disable the rules you defined to block the connection, does
> your firewall popup an alert saying what program is trying to make an
> outbound connection (and let you select to block, permit, or manual
> configure a rule for it)? If so, that might itself identify the culprit
> program. If it is svchost.exe then an NT service is making the
> connection, so you need to stop all non-critical NT services and restart
> them one by one to see which one attempts the connection.
>
> - SysInternal's TCPview (free) might indicate who owns the local port
> through which the communication is moving.
>
> - Use Task Manager to see what processes are running. Then go hunting
> for those executables to see where they are. Right-click on them and
> look under the Version tab to see if there is any identifying
> information as to its maker and its use.
>
>
> --
> __________________________________________________ __________
> "Albert_Hall" <dcosic@net.hr> wrote in message
> news:blm4ou$4ll$1@bagan.srce.hr...
> > I was wrond, the problem is still present, don't know what to do???
> >
> >
>
>
In article <blm4ou$4ll$1@bagan.srce.hr>, Albert_Hall wrote:
> I was wrond, the problem is still present, don't know what to do???
Isn't there anything for Windows that can tell you *what* is trying to make
that connection? I'd expect some of the firewall products to be able to do
that.
It would be fairly easy for anyone who knows how to write Windows LSPs to
write one that watches for connections to a specific IP address or range of
IP addresses, and then reports what task is trying to make that connection,
so I'd be very surprised if there isn't something free out there to do this
already.
--
Evidence Eliminator is worthless. See evidence-eliminator-sucks.com
--Tim Smith
On Tue, 30 Sep 2003 20:30:03 +0200, in <alt.privacy.spyware>, "Albert_Hall"
<dcosic@net.hr> wrote:
>
> Hy, I have ad-aware and SpyBot installed, and I updated them regulary.
> But i keep getting messages that IE is trying to connect to
> 66.118.169.xxx. X-es are different 7, 11, 10... Can somebody help me this
> is annoying, it's happening every minute or so.
[snip]
It is a reasonably decent bet that your system has been turned into a
"zombie host" by some of the known hardcore proxy-hijackers/spammers who
find a comfy pink home at <sagonet.com>:
<http://groups.google.com/groups?selm=vjgdh9bqsinnf1%40corp.supernews.com>
<http://groups.google.com/groups?selm=vjo9fc4dc8gub0%40corp.supernews.com>
<http://groups.google.com/groups?selm=vk8qq3gi1grd36%40corp.supernews.com>
<http://groups.google.com/groups?selm=vkrbhsicn48va8%40corp.supernews.com>
If this is the case, you need to do a *thorough* audit of everything
installed on your system, and especially all processes which are exzcecuting
after a clean re-boot. Better yet, wipe the disk and do a proper ground-up
re-install of the OS and *only* those apps which are both necessary and
non-hazardous (this leaves out MSIE, of course) from known-good media. The
utilities you find here:
<http://www.litepc.com/>
<http://www.litepc.com/ieradicator.html>
will help ease that task immensely.
> Tnx, and sorry if my english is bad. I'm from a non english speaking
> region.
>
No problem -- I understood you just fine.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote