March 5th, 2004, 02:24 AM
remote access trojan?
I don't know if this is the place to discuss this, but I am new and have an issue I cannot resove. I used opened an e mail from a trusted perdon the other day. It was through hotmail. When I opened the file, It proceeded to open outlook express. Nothing happened then. Shortly after Zone alarm (firewall) starting asking to grant internet access permission to Unknown Process -150670 (Find Error). I denied it. Then it asked again for Unknown Process -248223 (Find Error). Again I denied it. Now When I use my Internnet Explorer, My firewall says it blocked access to my computer from 126.96.36.199:53. It blocks it about every 2-3 seconds. The source DNS is ns6.attbi.com. I have figured out that attbi is linked to "pc anywhere somehow" (remote access). I believe that someone or something is trying to connect with something on my p.c. from outside. "Spybot search & destroy" detected nothing. I wonder how I can find and remove what is trying to connect from my computer, or stop the site or person from trying to connect to my p.c.. I also believe that the trojan(?) is trying to use other programs to access the internet. Please help if u can. I am new to this. Thanx.
March 5th, 2004, 02:31 AM
Didn't you put this in another thread? (Could've sworn I've seen this elsewhere)
Anyways, to answer your question.. try some of these:
1) scan with Anti-virus software in a safe mode without networking method
2) Get a trojan specific detection tool like The Cleaner
3) File a complaint with the ISP of the source attempting to connect. Do a traceroute on the IP or a whois tool like Sam Spade (have patience as it's a little slow these days) to resolve the IP to a FQDN. Send the complaint to "firstname.lastname@example.org" (whatever isp.com is for the "attacker").
What makes you think it's attempting to use other programs?
March 5th, 2004, 02:45 AM
The reason I think it is trying to use other programs is because programs that I have LREdy granted permission to are asking again, but have been modified. When I look up the destination ip It is almost the same as the "Unknown Process -150679 (Find Error)" program that was trying to acces the internet. First My antivirus autoupdate tried, then with another that I cannot recall at the moment. Gonna try your advice. Although I am having trouble initiating the cleaner download, due to my firewall I believe. I have "window Washer" . Isthat comparable or should I get the cleaner?
March 5th, 2004, 02:48 AM
Hrmm.. I thought that Window Washer was more of a privacy tool than a trojan detector. The Cleaner is a trojan detection tool.
March 5th, 2004, 02:52 AM
did you check with your friend to make sure it was send by him and not by an internet worm using his name?
Query for 188.8.131.52.in-addr.arpa type=255 class=1
184.108.40.206.in-addr.arpa PTR (Pointer) ns6.attbi.com
76.240.63.in-addr.arpa NS (Nameserver) ns1.itv.att.net
76.240.63.in-addr.arpa NS (Nameserver) ns2.itv.att.net
76.240.63.in-addr.arpa NS (Nameserver) ns3.itv.att.net
76.240.63.in-addr.arpa NS (Nameserver) ns4.itv.att.net
these att's name servers are you using at&t as your isp. port 53 is the standard dns port
pcAnywhere uses tcp 5631 and udp 5632
do a netstat and dee if anything is listening you dont know about or connections are made that shouldn't be. like 6667 to some irc.ru
spybot s&d is meant to detect SpyWare/Adware you MUST scan your computer using anti-virus software with the latest definitions.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
March 5th, 2004, 02:57 AM
I meant I had spytbot......But i see that spybot is not necessarilly what i need. I ran a virus check with my antivirus software earlier after I downloaded the latest definitions. It found nothing. Will checking it in safe mode be a better option?
March 5th, 2004, 03:11 AM
If your using XP hit control-alt-delete, got to view/select colums/check PID(Process Identifier)/ok/. Then Start/Programs/accessories/command Prompt/ Then in the command Prompt type:netstat -ano & then match the PID #'s to the exe.'s in the task manager.
And google what the name of the suspicious exe. that you do not reconize.
Hope it helps.
March 5th, 2004, 03:12 AM
My friend said she sent the email but when she sent it it had a link. There was no link when I got it, but it was kind of large.Hey what is a netstat and how do i do one?
March 5th, 2004, 03:13 AM
Sometimes. Some virus/trojans start up and hide themselves (for lack of a better description) from anti-virus when running in full mode.
Will checking it in safe mode be a better option?
March 5th, 2004, 03:15 AM
I am using Windows ME. I am just learning about this stuff so I am not sure how to check my ports or if they are open or closed or who is listening. I like to think I am somewhat comp-literae though.