Page 1 of 1

Odd Connection on startup

Posted: Tue Nov 02, 2010 5:03 pm
by exeteluser9384759
Every time i start my computer it creates two connections to 188.72.244.195. The local ports are somewhere between 1000-1100 and the remote port is 53, so it seems like my computer is doing a dns lookup on that server. I can't figure out what program is initiating the connection. The program im using to monitor is cports, like a gui for netstat. I've tried creating a firewall rule to block all tcp/udp data from port 1 to 65535 to that ip address, but the connection still intitiates itself every time on startup.

Should i consider this a virus/rootkit/spyware threat or just ignore it? I'm thinking of reinstall windows just to be safe, and in the meantime not logging into online banking sites .

Re: Odd Connection on startup

Posted: Tue Nov 02, 2010 5:40 pm
by Dazzled
It's going to the Ukraine, to an address belonging to nkvdteam.ru. nkvd.pro seems to sell domain names etc. Not an attractive business name from Russian history.

I'd consider anything that operates uncontrolled like this as suspicious. Regarding banking, if you need it soon, read the Police advice at http://www.itnews.com.au/News/157767,ns ... nking.aspx. It might seem extreme, but it is safe.

Oh, and welcome on your first post.

Re: Odd Connection on startup

Posted: Tue Nov 02, 2010 6:40 pm
by exeteluser9384759
No results from av scan or spybots. A port scan from grc.com shows all my ports are stealthed except for web https and legitimate listening ports. Still I can't figure out how the connection is being initiated, nothing suspicious on startup, no suspicious services (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services). Somehow something must have executed and injected itself into a dll somewhere. The only software i've installed in the past week is freeware WebVideoCap and universe simulator, making sure to deselect any adware/toolbars.

Also this morning i woke up to find some spyware program calling itself "antivirus 2010" had somehow installed itself, executed, and was claiming to have done a system scan and found 66 viruses. Smelling the rancid scent of bs i uninstalled it promptly through appwiz.cpl without touching the program in any way.

Re: Odd Connection on startup

Posted: Tue Nov 02, 2010 7:07 pm
by exeteluser9384759
Some more information:

Briefly researched "antivirus 2010" and followed suggestions to use a seperate scanner. The free version of Malwarebytes' Anti-Malware, which found several entries and successfully removed them. On startup I'm no longer seeing the suspicious connection to that Ukrainian dns server. In the end who is responsible for this crime? I wish we had services that dealt with these criminals, what if the program harvested my banking details. Now i'll have to change bank accounts increase security. We've already lost thousands to criminals like this.

Re: Odd Connection on startup

Posted: Tue Nov 02, 2010 7:42 pm
by Dazzled
It's not funny is it? But note what the cops said, above. Using MS to do banking is not unlike leaving your car in the street with the engine running. Did Malwarebytes give this exploit a name. or is NKVD unpleasant enough?

Re: Odd Connection on startup

Posted: Tue Nov 02, 2010 8:36 pm
by exeteluser9384759
Adware.MyWebSearch
and
Trojan.SpyEyes
Summary
Trojan:Win32/Spyeye is a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/Spyeye sends captured data to a remote attacker, may download updates of the components and has a rootkit component to hides it malicious activity.
gg....

thx for replies

Re: Odd Connection on startup

Posted: Wed Nov 03, 2010 1:22 am
by CoreyPlover
I've also come across Adware.MyWebSearch on a colleague's computer in the last 2 months or so. The behaviour exactly as you describe too: fake antivirus scanner performs a scan then tries to redirect you to download software. Just uninstalling from Control Panel isn't enough, but MalwareBytes will nuke it, otherwise there are manual removal instructions that are not too onerous. Strange (and somewhat disturbing) that it is so pervasive, without an obvious entry point, though I'd almost surely put it down to an infected software install.