Urgert! Unknown Virus , PC keep on sending to 213.132.196.211:53 !

Q

qazaka

Hi,

I try to install the latest DAT for Norton and scan through the PC,
still cannot clean the 'virus'.

When network connection is up, the 'virus' keep sending/syn to 213.132.196.211:53

anyone can help !!

netstat -an show the activity.


TCP 192.168.1.5:1314 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1315 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1316 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1317 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1318 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1319 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1320 213.132.196.211:53 CLOSING
TCP 192.168.1.5:1329 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1330 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1331 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1332 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1333 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1334 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1335 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1336 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1337 213.132.196.211:53 SYN_SENT
TCP 192.168.1.5:1338 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1339 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1340 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1341 213.132.196.211:53 SYN_SENT
TCP 192.168.1.5:1342 213.132.196.211:53 SYN_SENT
 
D

Duane Arnold

(e-mail address removed) (qazaka) wrote in
Hi,

I try to install the latest DAT for Norton and scan through the PC,
still cannot clean the 'virus'.

When network connection is up, the 'virus' keep sending/syn to
213.132.196.211:53

anyone can help !!
Use Active Ports and Process Explorer both are free use Google. You can use
Process Explorer to look inside a running program and see what is using the
running prohram when you use Active Ports to spot the program/process
making the connection, because another program can be using the running
process on its behalf to get out.

Duane :)
 
K

Ka Khiong Kwok

Dumb response, but is it possible the virus in question is just GAIN or some
other spyware. It's only recently that NAV even recognised GAIN as a virus
('bout blasted time too).

Otherwise your only option is to use what's suggested or try a commandline
scan. The reason the virus might not be clean or even picked up is because
it may be within a vector.

Regards,

ka
 
D

DRACO-

Hi,

I try to install the latest DAT for Norton and scan through the PC,
still cannot clean the 'virus'.

When network connection is up, the 'virus' keep sending/syn to
213.132.196.211:53
That ip equates to redir.myredir.com and the time_wait usually is an idle
port but still connected (http protocol does this a lot). I suspect
whatever program it is, it is probably a browser hijacker or proxy.

Try running adaware ( http://www.lavasoftusa.com )or spybot search and
destroy ( http://spybot.eon.net.au/ http://www.safer-networking.org/)

Other advice:

To make sure your virus scanner and trojan scanner is fully enabled and
configured properly, go to: http://www.hackfix.org/software/configure/
Also get all "Critical Updates" from http://windowsupdate.microsoft.com/
Please read ALL of the above that is addressed to you. And, don't forget
to always keep your virus scanner updated regularly. You can receive
further information and help at http://www.hackfix.org/list_virushelp.html
and http://virusinfo.hackfix.org/


DRACO-
 
S

sdlomi2

qazaka said:
Hi,

I try to install the latest DAT for Norton and scan through the PC,
still cannot clean the 'virus'.

When network connection is up, the 'virus' keep sending/syn to 213.132.196.211:53

anyone can help !!

netstat -an show the activity.


TCP 192.168.1.5:1314 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1315 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1316 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1317 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1318 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1319 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1320 213.132.196.211:53 CLOSING
TCP 192.168.1.5:1329 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1330 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1331 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1332 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1333 213.132.196.211:53 TIME_WAIT
TCP 192.168.1.5:1334 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1335 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1336 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1337 213.132.196.211:53 SYN_SENT
TCP 192.168.1.5:1338 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1339 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1340 213.132.196.211:53 FIN_WAIT_1
TCP 192.168.1.5:1341 213.132.196.211:53 SYN_SENT
TCP 192.168.1.5:1342 213.132.196.211:53 SYN_SENT
Since I was hit last week--hard, I cannot even boot!--my reading hints
you've got a Trojan left over from MyDoom. Think I remember the 'b'version
overwrites the 'a' version and keeps the ports open for "trojan" control,
whatever that is. Do Google for MyDoom virus and narrow down to ports 1314
thru 1342. May find what u have plus how to clean it--almost sure there
were both there. HTH, sdlomi
 
I

I. Care

Since I was hit last week--hard, I cannot even boot!--my reading hints
you've got a Trojan left over from MyDoom. Think I remember the 'b'version
overwrites the 'a' version and keeps the ports open for "trojan" control,
whatever that is. Do Google for MyDoom virus and narrow down to ports 1314
thru 1342. May find what u have plus how to clean it--almost sure there
were both there. HTH, sdlomi
A check with visual trace on 213.132.196.211 reveals the following
information.

Name: redir.myredir.com
IP Address: 213.132.196.211
Location: s-Hertogenbosch (51.767N, 5.533E)
Network: RIPE-213

Registrant:
Redirect 1
Winter ([email protected])
somewhere in Moscow
Moscow
RU,29749
RU
Tel. +095.3649780


Registrant:
Redirect 1
Winter ([email protected])
somewhere in Moscow
Moscow
RU,29749
RU
Tel. +095.3649780

Creation Date: 02-Feb-2004
Expiration Date: 02-Feb-2005

Domain servers in listed order:
ns1.myredir.com
ns2.myredir.com


Administrative Contact:
Redirect 1
Winter ([email protected])
somewhere in Moscow
Moscow
RU,29749
RU
Tel. +095.3649780

Technical Contact:
Redirect 1
Winter ([email protected])
somewhere in Moscow
Moscow
RU,29749
RU
Tel. +095.3649780

Billing Contact:
Redirect 1
Winter ([email protected])
somewhere in Moscow
Moscow
RU,29749
RU
Tel. +095.3649780

Status:ACTIVE

The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about
or
related to a domain name registration record. We make this
information
available as is , and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to:
(1) enable high volume, automated, electronic processes that stress
or
load this whois database system providing you this information; or
(2) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via direct
mail,
electronic mail, or by telephone. The compilation, repackaging,
dissemination or other use of this data is expressly prohibited
without
prior written consent from us. The registrar of record is
DirectI. We reserve the right to modify
these terms at any time. By submitting this query, you agree to abide
by these terms.


The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network
Solutions.
Network Solutions, therefore, does not guarantee its accuracy or
completeness.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top