Guest mosquito_hippy Posted September 12, 2008 Posted September 12, 2008 I found this agent trying to reach internet through our firewall and i don't know how to deal with this issue. First neither Explorer.EXE:3:5.1 nor plain explorer.exe should reach internet, i guess. Why this program is trying to reach 217.5.248.20:65500 changing it's source port every 10 seconds. It have to be a Virus or something like that but my antivirus can't detect it. Can any body give me a clue Quote
Guest Malke Posted September 12, 2008 Posted September 12, 2008 mosquito_hippy wrote: I found this agent trying to reach internet through our firewall and i don't know how to deal with this issue. First neither Explorer.EXE:3:5.1 nor plain explorer.exe should reach internet, i guess. Why this program is trying to reach 217.5.248.20:65500 changing it's source port every 10 seconds. It have to be a Virus or something like that but my antivirus can't detect it. <span style="color:blue"> > 217.5.248.20</span> inetnum: 217.5.248.16 - 217.5.248.23 netname: SANDER-UMFORMTECHNIK-GMBH-CO-KG-RENCHEN-NET descr: reputatio AG country: DE admin-c: TS1766-RIPE tech-c: TS1766-RIPE status: ASSIGNED PA mnt-by: DTAG-NIC source: RIPE # Filtered person: Thomas Spinner address: Sander GmbH & Co. KG address: Reiersbacher Str. 34 address: 77871 Renchen address: DE phone: +497843370515 e-mail: nic-hdl: TS1766-RIPE mnt-by: DTAG-NIC source: RIPE # Filtered route: 217.0.0.0/13 descr: Deutsche Telekom AG, Internet service provider origin: AS3320 member-of: AS3320:RS-PA-TELEKOM mnt-by: DTAG-RR source: RIPE # Filtered Is this your ISP? I Googled for "Explorer.EXE:3:5.1" and got some links mentioning FrontPage. Do you use FrontPage? If not, try scanning with Malwarebytes' Antimalware program (free). http://www.malwarebytes.org More information about malware removal: http://www.elephantboycomputers.com/page2....emoving_Malware Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest mosquito_hippy Posted September 12, 2008 Posted September 12, 2008 Thanks No, i don't use frontpage neither none of my users, it have to be some kind of virus, Panda doesn't detect anything. I'll try some other software but i'm thinking it could be a rootkit possing as the real explorer "Malke" wrote: <span style="color:blue"> > mosquito_hippy wrote: > > I found this agent trying to reach internet through our firewall and i don't > know how to deal with this issue. > > First neither Explorer.EXE:3:5.1 nor plain explorer.exe should reach > internet, i guess. > > Why this program is trying to reach 217.5.248.20:65500 changing it's source > port every 10 seconds. > > It have to be a Virus or something like that but my antivirus can't detect > it. > <span style="color:green"> > > 217.5.248.20</span> > inetnum: 217.5.248.16 - 217.5.248.23 > netname: SANDER-UMFORMTECHNIK-GMBH-CO-KG-RENCHEN-NET > descr: reputatio AG > country: DE > admin-c: TS1766-RIPE > tech-c: TS1766-RIPE > status: ASSIGNED PA > mnt-by: DTAG-NIC > source: RIPE # Filtered > > person: Thomas Spinner > address: Sander GmbH & Co. KG > address: Reiersbacher Str. 34 > address: 77871 Renchen > address: DE > phone: +497843370515 > e-mail: > nic-hdl: TS1766-RIPE > mnt-by: DTAG-NIC > source: RIPE # Filtered > > route: 217.0.0.0/13 > descr: Deutsche Telekom AG, Internet service provider > origin: AS3320 > member-of: AS3320:RS-PA-TELEKOM > mnt-by: DTAG-RR > source: RIPE # Filtered > > Is this your ISP? I Googled for "Explorer.EXE:3:5.1" and got some links > mentioning FrontPage. Do you use FrontPage? If not, try scanning with > Malwarebytes' Antimalware program (free). > > http://www.malwarebytes.org > > More information about malware removal: > http://www.elephantboycomputers.com/page2....emoving_Malware > > Malke > -- > MS-MVP > Elephant Boy Computers - Don't Panic! > FAQ - http://www.elephantboycomputers.com/#FAQ > > </span> Quote
Guest David H. Lipman Posted September 12, 2008 Posted September 12, 2008 From: "mosquito_hippy" <mosquitohippy@discussions.microsoft.com> | I found this agent trying to reach internet through our firewall and i don't | know how to deal with this issue. | First neither Explorer.EXE:3:5.1 nor plain explorer.exe should reach | internet, i guess. | Why this program is trying to reach 217.5.248.20:65500 changing it's source | port every 10 seconds. | It have to be a Virus or something like that but my antivirus can't detect it. | Can any body give me a clue Due to the tight bundling of IE to WinXP, Explorer can access the internet. Additionally, malware can hook into the Windows Explorer process. Download MULTI_AV.EXE from the URL -- http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe http://www.pctipp.ch/downloads/dl/35905.asp English: http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. Additional Instructions: http://pcdid.com/Multi_AV.htm Please report back your results -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest kalyan Posted September 17, 2008 Posted September 17, 2008 Hi just check source port is changing between below mentioned port.If it is matching ,you are having below mentioned virus Port Application Protocol 65529 W32.Spybot tcp 65534 sbin/initd tcp 65535 RC1 trojan tcp -- Warm Regards Kalyan "mosquito_hippy" <mosquitohippy@discussions.microsoft.com> wrote in message news:C24B0FB0-9F7C-470D-9146-E53F11CE1409@microsoft.com...<span style="color:blue"> >I found this agent trying to reach internet through our firewall and i >don't > know how to deal with this issue. > > First neither Explorer.EXE:3:5.1 nor plain explorer.exe should reach > internet, i guess. > > Why this program is trying to reach 217.5.248.20:65500 changing it's > source > port every 10 seconds. > > It have to be a Virus or something like that but my antivirus can't detect > it. > > Can any body give me a clue </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.