Odd Connection on startup

Malware detection, cleaning and prevention
Post Reply
exeteluser9384759
Posts: 8
Joined: Tue Nov 02, 2010 12:36 pm
Location: NSW, Mid North Coast

Odd Connection on startup

Post by exeteluser9384759 » Tue Nov 02, 2010 5:03 pm

Every time i start my computer it creates two connections to 188.72.244.195. The local ports are somewhere between 1000-1100 and the remote port is 53, so it seems like my computer is doing a dns lookup on that server. I can't figure out what program is initiating the connection. The program im using to monitor is cports, like a gui for netstat. I've tried creating a firewall rule to block all tcp/udp data from port 1 to 65535 to that ip address, but the connection still intitiates itself every time on startup.

Should i consider this a virus/rootkit/spyware threat or just ignore it? I'm thinking of reinstall windows just to be safe, and in the meantime not logging into online banking sites .

User avatar
Dazzled
Volunteer Site Admin
Posts: 6000
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Odd Connection on startup

Post by Dazzled » Tue Nov 02, 2010 5:40 pm

It's going to the Ukraine, to an address belonging to nkvdteam.ru. nkvd.pro seems to sell domain names etc. Not an attractive business name from Russian history.

I'd consider anything that operates uncontrolled like this as suspicious. Regarding banking, if you need it soon, read the Police advice at http://www.itnews.com.au/News/157767,ns ... nking.aspx. It might seem extreme, but it is safe.

Oh, and welcome on your first post.

exeteluser9384759
Posts: 8
Joined: Tue Nov 02, 2010 12:36 pm
Location: NSW, Mid North Coast

Re: Odd Connection on startup

Post by exeteluser9384759 » Tue Nov 02, 2010 6:40 pm

No results from av scan or spybots. A port scan from grc.com shows all my ports are stealthed except for web https and legitimate listening ports. Still I can't figure out how the connection is being initiated, nothing suspicious on startup, no suspicious services (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services). Somehow something must have executed and injected itself into a dll somewhere. The only software i've installed in the past week is freeware WebVideoCap and universe simulator, making sure to deselect any adware/toolbars.

Also this morning i woke up to find some spyware program calling itself "antivirus 2010" had somehow installed itself, executed, and was claiming to have done a system scan and found 66 viruses. Smelling the rancid scent of bs i uninstalled it promptly through appwiz.cpl without touching the program in any way.

exeteluser9384759
Posts: 8
Joined: Tue Nov 02, 2010 12:36 pm
Location: NSW, Mid North Coast

Re: Odd Connection on startup

Post by exeteluser9384759 » Tue Nov 02, 2010 7:07 pm

Some more information:

Briefly researched "antivirus 2010" and followed suggestions to use a seperate scanner. The free version of Malwarebytes' Anti-Malware, which found several entries and successfully removed them. On startup I'm no longer seeing the suspicious connection to that Ukrainian dns server. In the end who is responsible for this crime? I wish we had services that dealt with these criminals, what if the program harvested my banking details. Now i'll have to change bank accounts increase security. We've already lost thousands to criminals like this.

User avatar
Dazzled
Volunteer Site Admin
Posts: 6000
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Odd Connection on startup

Post by Dazzled » Tue Nov 02, 2010 7:42 pm

It's not funny is it? But note what the cops said, above. Using MS to do banking is not unlike leaving your car in the street with the engine running. Did Malwarebytes give this exploit a name. or is NKVD unpleasant enough?

exeteluser9384759
Posts: 8
Joined: Tue Nov 02, 2010 12:36 pm
Location: NSW, Mid North Coast

Re: Odd Connection on startup

Post by exeteluser9384759 » Tue Nov 02, 2010 8:36 pm

Adware.MyWebSearch
and
Trojan.SpyEyes
Summary
Trojan:Win32/Spyeye is a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/Spyeye sends captured data to a remote attacker, may download updates of the components and has a rootkit component to hides it malicious activity.
gg....

thx for replies

User avatar
CoreyPlover
Volunteer Site Admin
Posts: 5922
Joined: Sat Nov 04, 2006 2:24 pm
Location: Melbourne, VIC

Re: Odd Connection on startup

Post by CoreyPlover » Wed Nov 03, 2010 1:22 am

I've also come across Adware.MyWebSearch on a colleague's computer in the last 2 months or so. The behaviour exactly as you describe too: fake antivirus scanner performs a scan then tries to redirect you to download software. Just uninstalling from Control Panel isn't enough, but MalwareBytes will nuke it, otherwise there are manual removal instructions that are not too onerous. Strange (and somewhat disturbing) that it is so pervasive, without an obvious entry point, though I'd almost surely put it down to an infected software install.
I am a volunteer moderator and not an Exetel staff member. As with all forum posts, mine do not constitute any "official" Exetel position. Support tickets may be logged via https://helpdesk.exetel.com.au or residentialsupport@exetel.com.au

Post Reply