cannot find spy

[peter krom]

In article <5p4o5198n8r1s9d9hpkfs4a9q3i14kqhlf@news.speakeasy .net>,
not.deliverable+usenet02@appropriate-tech.net says...
> On Tue, 12 Apr 2005 13:26:11 +0200, in <alt.privacy.spyware>, peter krom
> <jonhy@rook.com> wrote:
> That was near-cwertainly unnecessary; and it makes little (if any) sense,
> particularly in light of your original article. Nowhere in it did you state
> that the SYNs were being sent *only* when Firefox was running. And besides,
> Firefox itself is *not* in any way malicious; nor is it particularly
> vulnerable to attack from malware (unlike, for a very pointed example, MSIE's
> susceptibility to "home page hijackers"). So why would it be "phoning home"
> to Kel Ellis? No, this just doesn't add up.
> I *strongly* urge you to re-examine your system *very* closely. The odds are
> overwhelming that either you did not tell the full and correct story
> initially, or you did *not* completely clean things up -- or both.

I do think that Firefox itself is a good browser, I uninstalled it
reluctantly... When exiting firefox using ->file->exit a resident
portion stayed in memory, I was able it to remove it from memory using
taskmanager and that is when I discovered the syn's were gone. I have
been looking at all network related files installed and verified them by
using the original install information and calculating crc's. All
networkrelated files are in fact original. There was one file which did
not have the same crc as the original and replaced it. I am going to
reinstall mozilla and see what happens....

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 13-4-2005 15:05:16
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Paul Vader]

peter krom <jonhy@rook.com> writes:
>After searching through my system I Uninstalled Mozilla Firefox, this
>was aparantly the source of sending the syn to kelcos.. Now that firefox
>is no longer installed, the Syn's aren't sent anymore. Furthermore All
>registry-entries concerning Mozilla Firefox are deleted. Thanx for the

If firefox itself is doing this I'll eat my hat. More likely, you had one
of several extensions that phone home, if the removal and the disappearance
of the connection attempts are in any way connected.

Neither firefox or a snarky extension can be making connection attempts
when firefox isn't running. If you see this only when you have a browser
open, look at your extension list. I've seen at least one that I consider
iffy - it, in exchange for some extra functionality in google, adds
affilliate links to certain sites and tunnels back to a central server for
some images. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Jay T. Blocksom]

Arrrrggghh... I screwed up the cut&paste on a couple of those URLs. The
corrected version is:

On Mon, 11 Apr 2005 14:18:46 -0400, in <alt.privacy.spyware>, Jay T. Blocksom
<not.deliverable+usenet02@appropriate-tech.net> wrote:
>
> The IP address in question is part of a (presumably DHCP-assigned) DSL pool
> in Turkey:
>
> <http://www.dnsstuff.com/tools/ptr.ch?ip=81.215.160.197>
> <http://www.dnsstuff.com/tools/whois.ch?ip=81.215.160.197>
>
> Note also that the hostname in question is now (well, as of two minutes ago
> when I checked) resolving to a different address within that same pool:
>
> <http://samspade.org/t/lookat?a=kelcos5.dynu.com>
> <http://www.dnsstuff.com/tools/ptr.ch?ip=81.215.161.29>
> <http://www.dnsstuff.com/tools/whois.ch?ip=81.215.161.29>
>
> And by the time you read this, it may well have shifted again.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

[Paul Vader]

address@signature.blk writes:
>On Fri, 8 Apr 2005 13:53:28 +0200, in <alt.privacy.spyware>, peter krom
><jonhy@rook.com> wrote:
> >
> > when running Netview I discovered that my Laptop sends a syn to a
> > certain ip-address, which looked up to - kelcos5.dynu.com -
> > at IP-address 81.215.160.197 every minute or so.

It's not sending a syn by itself - more likely it's trying to open a socket,
and you see 'SYN SENT' in netstat because the other end isn't up. Also note -
the DNS address of kelcos5.dynu.com has changed since you posted that.
Dynu.com is a dynamic DNS provider, like the more popular dyndns.org. I
can't think of a GOOD reason why your PC would be going there without your
knowledge. Spyware or a zombie trojan are possibilities.

The IPs don't seem to respond, but I'm not doing a portscan for you. Go get
some spyware software (on a different PC) and do a complete cleanup of the
affected PC. Do not bring it back online until you've done so. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Steve Baker]

On Wed, 13 Apr 2005 15:02:01 -0000, pv+usenet@pobox.com (Paul Vader)
wrote:

>
>It's not sending a syn by itself - more likely it's trying to open a socket,
>and you see 'SYN SENT' in netstat because the other end isn't up.

What's the difference between "sending a SYN" and "trying to open a
socket"?

Steve Baker

[peter krom]

In article <ivqr5197medheeslh0q5ea152hgcfa92bo@4ax.com>,
bakesph@comcast.net says...

COMCAST.NET???? this domain is in the blacklist of my mailserver for
spamming....

> What's the difference between "sending a SYN" and "trying to open a
> socket"?

Both are connections you don't want in this case simply because your
privacy has been invaded. I know: the safest way to have a computer is
NOT to hook it up to the internet, but morallity states that ones
privacy should not be invaded... This shouldn't be an issue IMHO

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 14-4-2005 9:56:30
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Paul Vader]

Steve Baker <bakesph@comcast.net> writes:
>>It's not sending a syn by itself - more likely it's trying to open a socket,
>>and you see 'SYN SENT' in netstat because the other end isn't up.
>
> What's the difference between "sending a SYN" and "trying to open a
>socket"?

You can do the first without any intention of ever doing the second. See
'syn flooding' for example. When you see "SYN SENT" on a netstat, unless it
appears and disappears, it's almost certainly because a process is trying to
open a socket, and the TCP stack is waiting for an SYN ACK before returning
a socket pointer to the process. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Steve Baker]

On Thu, 14 Apr 2005 15:04:54 -0000, pv+usenet@pobox.com (Paul Vader)
wrote:

>Steve Baker <bakesph@comcast.net> writes:
>>>It's not sending a syn by itself - more likely it's trying to open a socket,
>>>and you see 'SYN SENT' in netstat because the other end isn't up.
>>
>> What's the difference between "sending a SYN" and "trying to open a
>>socket"?
>
>You can do the first without any intention of ever doing the second. See
>'syn flooding' for example. When you see "SYN SENT" on a netstat, unless it
>appears and disappears, it's almost certainly because a process is trying to
>open a socket, and the TCP stack is waiting for an SYN ACK before returning
>a socket pointer to the process. *

I see what you mean now. I was misunderstanding the "syn by itself"
part, thinking that the "by itself" part referred to the browser, not
the packet.

Steve Baker