interesting firewall alarm..

[Kezil]

Norton firewall has been popping up this message a few times today:

Microsoft Office 2000 component is attempting to access the Internet

At X:XX PM on X/XX/XX, the following communication was detected:
Application: C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
Protocol: TCP (Outbound)
Remote Address: www.irs.gov (66.77.65.247) : http (80)
Local Address: Service port 1159
This file is not infected with a virus. There is no autoconfiguration data for this application. This application is from a known company (Microsoft Corporation). This application does not have a digital signature or the digital signature is invalid.

any thoughts?
(btw, my mother just did her taxes on it today)

[Tuskin]

In the startup there usually is findfast... I have never found out what it does but its not neccissary so just get it out of there and it wont be running.... dont think it'll try to connect out if its not running.

[cwk9]

Rule of thumb if you never use the program or have never heard of it; never let it access the internet.

[xmaddness]

Find fast is a program that is included w/ ms office. What its supposed to do is index your documents on your drive for faster searches. Why its trying to get port access, no clue. I havn't ever heard of that. As tuskin said you can easily disable it.

[Kezil]

I'm wondering why it wants the IRS

[xmaddness]

Conspiracy note... This is very interesting. Here are my thoughts.

1) The program Findfast should NOT be tring to access ANY ports what so ever. The fact that this program's design is to catalog everything on your HD causes a bit of concern to me. This leads me to believe that it may be infected with somthing.

2) The fact that its trying to contact the IRS homepage also worries me. Hmmm... I did a whois on the IP and got this:

Qwest Cybercenters (NETBLK-QWEST-CYBERCENTER-2)
1200 Harbor Boulevard
Weehawken, NJ 07087
US

Netname: QWEST-CYBERCENTER-2
Netblock: 66.77.0.0 - 66.77.191.255
Maintainer: QCYB

Coordinator:
Wysocki, David (DW820-ARIN) [email protected]
201-770-4133

Domain System inverse mapping provided by:

DCA-ANS-01.INET.QWEST.NET 205.171.9.242
SVL-ANS-01.INET.QWEST.NET 205.171.14.195

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 25-Mar-2002.
Database last updated on 14-Apr-2002 19:58:00 EDT.

I may be wrong on this, but would the IRS use Qwest as an ISP? I would think they would use their own lines. Okay, possibly the website is hosted by Qwest.

Ughh, If I hear another AOL ad on TV I'm gunna go completly... sorry.

Anyways where was I? Oh yeah...

[PARANOIA] Okay, here comes the "What If" part. What if while your mother was on the computer doing her taxes via an on-line tax generator, the tax website downloaded a trojan controlled by the government? I see this this as a perfect opportunity for the government to install backdoor Carnivore, Magic Lantern, type of software to thousands of computers.[/PARANOIA]

I may be way off on this, but what if?

Your thoughts?

Halo found this later: FindFast
It has no reason to connect out. Very, Very strange.

[PhirePhreak]

/me hides.

I think someone's a bit paranoid. But I also don't think that this is something to be ignored. Just kill the program, don't let it run, don't let it access any ports, don't let it eat, don't let it poop, don't let it... well, you get the idea. I personally think it is the spawn of Satan, and we all know that Satan answers to his alternate identity of the IRS...

God bless,
--PhirePhreak

[cwk9]

Xmaddness might be a little paranoid but he has a point trust no one. I would update you virus scanner and do a complete scan. But a virus made by the government wouldn’t be detected by a virus scanner. There to smart to fall for that one. They could know that you’re posting on this forum and dispatch a secret irs commando death squad after you. My advice to you would be to pack up all you stuff and go live in a shack with no power on the side of a snowy mountain. And what about us. Now we know and they’ll be after us to. Oh man I need a beer.

[Tuskin]

cwk9 ... you have a point... y did I ever reply?? I am putting my life and future in danger... lol, no if it were the goverment you would have more difficulty finding the 'issue'. FINDFAST trying to acces the internet is definately odd and I'd be currious... M$ has no reason to have FINDFAST really in the fist place, his idea of 'convience'... :conflicting issues! My first comment will work... if it says still that the goverment is trying to get.... I mean FINDFAST is trying to get out... something is triggering "FINDFAST" and you will have to determine the cause.

(If findfast is closed [not in startup] and its trying to get out, something is opening it or posing as it)
well I hope I helped...
Tuskin

[Tuskin]

Dang I forgot to say: Good paranoia = self determination to understand how to protect yourself from "it" and of course do it.