hacked or spyware running

[Michael]

Hi all,

after i booted up the other day, ran 'netstat' and My system was conneted to
a foreign http, before the system had even finsished starting up.

So i visited the http, found it was web frontend for a mail system, hmmm.

So rebooted, this time straight into netstat, and there it is again.

Nothing is able to find the problem, Norton 2005 (newest definitions) ,
Ad-Aware (newest ver and definitions) , Spybot: search and destroy (newest
ver and definitions), searched the registry for the server my PC is
connecting to and it didn't find anything. Went through msconfig and could
not see anything being started that is out of the ordinary.

Installed Ethereal (packet sniffer) want to get the login/password of the
email service and want to see whats there. Only problem is that all the
dodgy traffic is competed by the time ethereal is loaded and ready to
capture.

Anyone know how I can find it, and/or anyone know of a DOS based packet
sniffer, that i could run from cmd, as my PC is loading up and making the
connections. My internet is coming in via a netgear router, other option i
have is to connect up another gateway and use it to sniff the data, would
prefer to do something else though

Any ideas or suggestions greatly appreciated


thanks

Michael

 

[Bruno GUERPILLON]

Hi all,

after i booted up the other day, ran 'netstat' and My system was
conneted to a foreign http, before the system had even finsished
starting up.
So i visited the http, found it was web frontend for a mail system,
hmmm.
So rebooted, this time straight into netstat, and there it is again.

Nothing is able to find the problem, Norton 2005 (newest definitions)
, Ad-Aware (newest ver and definitions) , Spybot: search and destroy
(newest ver and definitions), searched the registry for the server my
PC is connecting to and it didn't find anything. Went through
msconfig and could not see anything being started that is out of the
ordinary.
Installed Ethereal (packet sniffer) want to get the login/password of
the email service and want to see whats there. Only problem is that
all the dodgy traffic is competed by the time ethereal is loaded and
ready to capture.

Anyone know how I can find it, and/or anyone know of a DOS based
packet sniffer, that i could run from cmd, as my PC is loading up and
making the connections. My internet is coming in via a netgear
router, other option i have is to connect up another gateway and use
it to sniff the data, would prefer to do something else though

Any ideas or suggestions greatly appreciated


thanks

Michael

Hi
Do u got XPSP2 ? if so, try a netstat -b so u'll se what process is going
outside.

 

[Michael]

thnx Bruno

the problem is being generated by SimpLite-MSN, an MSN addon for encrypted
chat.

cant imagine any legitimate need for it to connect to a web mailserver.

720plan.ovh.net:http CLOSE_WAIT [SimpLite-MSN.exe]

Am going to write to them now and see if they have an answer, a lil dodgy if
u ask me. Might get my gateway going and start sniffing,



Michael

 

[Bruno GUERPILLON]

thnx Bruno

the problem is being generated by SimpLite-MSN, an MSN addon for
encrypted chat.

cant imagine any legitimate need for it to connect to a web
mailserver.
720plan.ovh.net:http CLOSE_WAIT [SimpLite-MSN.exe]

Am going to write to them now and see if they have an answer, a lil
dodgy if u ask me. Might get my gateway going and start sniffing,



Michael

Hi Mick
Awesome indeed, WTF this addon need to contact a mail server.
If u can do a feedback, would be more appreciate,

Regards

 

[Robert Moir]

So i visited the http, found it was web frontend for a mail system,
hmmm.
720plan.ovh.net:http CLOSE_WAIT [SimpLite-MSN.exe]

Welcome to the new home users community!

Are you using a MSN / Windows messenger add in to encrypt Instant message
traffic?
(see http://startup.iamnotageek.com/srch-SimpLite-MSN.exe.html for what I
*hope* you are running)

If not, I'd say you certainly have some kind of spyware that is
impersonating the product outlined in the link above.


--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

 

[Mr. T.]

Don't even think about "sniffing". Use your head, examine your computers
startup files and see if you are running a program which makes you some sort
of beacon. Changing your system passwords might also be a logical
suggestion. There are so many things to check BEFORE worrying about
"sniffing".

 

[Rade Trimceski [MSFT]]

You might want to look into using the tools from Sysinternals.

http://www.sysinternals.com/ntw2k/utilities.shtml

Process explorer will show you the process and threads (within the process)
that belong to the program in question. Check if the program is digitally
signed by Microsoft. Give regmon a try as well, it will tell you what
programs query specific parts of the registry.

Rade
--
This posting is provided "AS IS" with no warranties, and coferes no rights.

thnx Bruno

the problem is being generated by SimpLite-MSN, an MSN addon for encrypted
chat.

cant imagine any legitimate need for it to connect to a web mailserver.

720plan.ovh.net:http CLOSE_WAIT [SimpLite-MSN.exe]

Am going to write to them now and see if they have an answer, a lil dodgy
if u ask me. Might get my gateway going and start sniffing,



Michael

Hi
Do u got XPSP2 ? if so, try a netstat -b so u'll se what process is going
outside.
--
Cordialement,

Bruno GUERPILLON
http://isa.gerpion.com