remote access trojan?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: remote access trojan?

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    11

    remote access trojan?

    I don't know if this is the place to discuss this, but I am new and have an issue I cannot resove. I used opened an e mail from a trusted perdon the other day. It was through hotmail. When I opened the file, It proceeded to open outlook express. Nothing happened then. Shortly after Zone alarm (firewall) starting asking to grant internet access permission to Unknown Process -150670 (Find Error). I denied it. Then it asked again for Unknown Process -248223 (Find Error). Again I denied it. Now When I use my Internnet Explorer, My firewall says it blocked access to my computer from 63.240.76.4:53. It blocks it about every 2-3 seconds. The source DNS is ns6.attbi.com. I have figured out that attbi is linked to "pc anywhere somehow" (remote access). I believe that someone or something is trying to connect with something on my p.c. from outside. "Spybot search & destroy" detected nothing. I wonder how I can find and remove what is trying to connect from my computer, or stop the site or person from trying to connect to my p.c.. I also believe that the trojan(?) is trying to use other programs to access the internet. Please help if u can. I am new to this. Thanx.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Didn't you put this in another thread? (Could've sworn I've seen this elsewhere)

    Anyways, to answer your question.. try some of these:

    1) scan with Anti-virus software in a safe mode without networking method

    2) Get a trojan specific detection tool like The Cleaner

    3) File a complaint with the ISP of the source attempting to connect. Do a traceroute on the IP or a whois tool like Sam Spade (have patience as it's a little slow these days) to resolve the IP to a FQDN. Send the complaint to "abuse@isp.com" (whatever isp.com is for the "attacker").

    What makes you think it's attempting to use other programs?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Junior Member
    Join Date
    Mar 2004
    Posts
    11
    The reason I think it is trying to use other programs is because programs that I have LREdy granted permission to are asking again, but have been modified. When I look up the destination ip It is almost the same as the "Unknown Process -150679 (Find Error)" program that was trying to acces the internet. First My antivirus autoupdate tried, then with another that I cannot recall at the moment. Gonna try your advice. Although I am having trouble initiating the cleaner download, due to my firewall I believe. I have "window Washer" . Isthat comparable or should I get the cleaner?

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmm.. I thought that Window Washer was more of a privacy tool than a trojan detector. The Cleaner is a trojan detection tool.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    did you check with your friend to make sure it was send by him and not by an internet worm using his name?

    Query for 4.76.240.63.in-addr.arpa type=255 class=1
    4.76.240.63.in-addr.arpa PTR (Pointer) ns6.attbi.com
    76.240.63.in-addr.arpa NS (Nameserver) ns1.itv.att.net
    76.240.63.in-addr.arpa NS (Nameserver) ns2.itv.att.net
    76.240.63.in-addr.arpa NS (Nameserver) ns3.itv.att.net
    76.240.63.in-addr.arpa NS (Nameserver) ns4.itv.att.net

    these att's name servers are you using at&t as your isp. port 53 is the standard dns port

    pcAnywhere uses tcp 5631 and udp 5632

    do a netstat and dee if anything is listening you dont know about or connections are made that shouldn't be. like 6667 to some irc.ru

    spybot s&d is meant to detect SpyWare/Adware you MUST scan your computer using anti-virus software with the latest definitions.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Junior Member
    Join Date
    Mar 2004
    Posts
    11
    I meant I had spytbot......But i see that spybot is not necessarilly what i need. I ran a virus check with my antivirus software earlier after I downloaded the latest definitions. It found nothing. Will checking it in safe mode be a better option?

  7. #7
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    If your using XP hit control-alt-delete, got to view/select colums/check PID(Process Identifier)/ok/. Then Start/Programs/accessories/command Prompt/ Then in the command Prompt type:netstat -ano & then match the PID #'s to the exe.'s in the task manager.
    And google what the name of the suspicious exe. that you do not reconize.

    Hope it helps.

  8. #8
    Junior Member
    Join Date
    Mar 2004
    Posts
    11
    My friend said she sent the email but when she sent it it had a link. There was no link when I got it, but it was kind of large.Hey what is a netstat and how do i do one?

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Will checking it in safe mode be a better option?
    Sometimes. Some virus/trojans start up and hide themselves (for lack of a better description) from anti-virus when running in full mode.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Junior Member
    Join Date
    Mar 2004
    Posts
    11
    I am using Windows ME. I am just learning about this stuff so I am not sure how to check my ports or if they are open or closed or who is listening. I like to think I am somewhat comp-literae though.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •