Hi honey, I'm home!

[MickKi]

Perhaps I'm getting paranoid for no reason, but this is how it looks like
from here:

PART 1
Installed new Kerio PF on fully patched XP. Also running Nod32 on trial.

While browsing on this nsg I got a nasty netdex 10 backdoor trojan! Nod32
stopped it (or so it said). I quarantined it, and then deleted it. A
full machine Nod32 scan did not reveal anything untoward. Quick check
around the registry (told you I'm paranoid) revealed that "PostNotCached
repost.html" was added to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs which I
promptly deleted.

Marvellous, I thought, there must be more . . . but I could not find any
other tell-tale signs of this trojan on my machine.

PART 2
After rebooting I keep getting a little fellow trying to dial up! I
believe that this happens when I right-click on the Kerio icon in the tool
tray. The pop-up says something along the lines: "A program or you have
requested connection to 213.121.147.208" If I do not react the same pop-up
is replaced by 213.121.147.209. Both IP addresses seem to belong to BT
Public Internet Service (BT-MDIP). I have disabled Kerio from automatic
updates so I don't know what's causing it. Any ideas?

The log shows: "ICMP Destination Unreachable (Communication
Administratively Prohibited)", Direction: In
Remote Address: 213.121.147.209
Attack Class: misc-activity
Priority: Low
Action: permitted (this particularly worries me ;-)

The same entry has also been logged for 213.121.147.208.

PART 3
A quick check on HijackThis doesn't reveal much. A couple of entries I am
not sure about are:

O2 - BHO: (no name) - {--- binary code is written here ---} -
C:\WINDOWS\System32\nzdd.dll

O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll


Any advice much appreciated. TIA.

Regards,

Mick

 

[Duane Arnold]

Perhaps I'm getting paranoid for no reason, but this is how it looks
like
from here:

PART 1
Installed new Kerio PF on fully patched XP. Also running Nod32 on
trial.

While browsing on this nsg I got a nasty netdex 10 backdoor trojan!
Nod32 stopped it (or so it said). I quarantined it, and then deleted
it. A full machine Nod32 scan did not reveal anything untoward.
Quick check around the registry (told you I'm paranoid) revealed that
"PostNotCached repost.html" was added to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
which I promptly deleted.

Marvellous, I thought, there must be more . . . but I could not find
any other tell-tale signs of this trojan on my machine.

PART 2
After rebooting I keep getting a little fellow trying to dial up! I
believe that this happens when I right-click on the Kerio icon in the
tool tray. The pop-up says something along the lines: "A program or
you have requested connection to 213.121.147.208" If I do not react
the same pop-up is replaced by 213.121.147.209. Both IP addresses
seem to belong to BT Public Internet Service (BT-MDIP). I have
disabled Kerio from automatic updates so I don't know what's causing
it. Any ideas?

The log shows: "ICMP Destination Unreachable (Communication
Administratively Prohibited)", Direction: In
Remote Address: 213.121.147.209
Attack Class: misc-activity
Priority: Low
Action: permitted (this particularly worries me ;-)

The same entry has also been logged for 213.121.147.208.

PART 3
A quick check on HijackThis doesn't reveal much. A couple of entries
I am not sure about are:

O2 - BHO: (no name) - {--- binary code is written here ---} -
C:\WINDOWS\System32\nzdd.dll

O10 - Broken Internet access because of LSP provider 'imon.dll'
missing O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll


Any advice much appreciated. TIA.

Regards,

Mick

You can possibly look into implementing TCP/IP Secuirty on the XP O/S. It
covers about 15 registry entries that can implemented to protect the
machine and the O/S.

You can also look into IPsec to supplement Kerio on the inbound and
outbound connections.

http://lists.gpick.com/pages/IP_Security_(IPSec).htm

Also, you can look into using some of the advise in this link.

http://www.uksecurityonline.com/husdg/windowsxp.php

The bottom line here is that the XP O/S can be configured to protect
itself, if implemented.

Duane

 

[MickKi]

Thanks Duane,

You can possibly look into implementing TCP/IP Secuirty on the XP O/S. It
covers about 15 registry entries that can implemented to protect the
machine and the O/S.

I have already tightened TCP/IP & some of the registry by checking out the
links you have offered in this and previous messages ;-) I can't really
block everything as the machine is occasionally used on a small home
network and don't want to spend half an hour each time restoring
settings. But nevertheless, thanks to your advice my machine's security
is now much tighter than it used to be.

You can also look into IPsec to supplement Kerio on the inbound and
outbound connections.

http://lists.gpick.com/pages/IP_Security_(IPSec).htm

Hmm, this'll take some time for me to read and then implement.

Also, you can look into using some of the advise in this link.

http://www.uksecurityonline.com/husdg/windowsxp.php

The bottom line here is that the XP O/S can be configured to protect
itself, if implemented.

Quite true. Following only part of the suggestions in your links certain
online security scans e.g. http://scan.sygate.com/ will now not run at
all. )

Would anyone know if there's any way to find out what's trying to "dial
home"? It all seems to have started since I've installed Kerio . . . BTW,
I've switched off XP's firewall, because I've read that Kerio conflicts
with it.

Also, I remember reading here about a freeware which would prompt to
accept/deny cookies and scripts - but can't find its name. Kerio's web
content management seems to be an "on or off" affair.

Regards,

Mick

 

[Roy]

213.121.147.209

[whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 213.121.147.0 - 213.121.147.255


netname: BT-MDIP
descr: BT-MDIP
country: GB
admin-c: BS1474-RIPE
tech-c: BS1474-RIPE
status: ASSIGNED PA
remarks: Please send abuse notification to (e-mail address removed)
mnt-by: BTNET-MNT
mnt-lower: BTNET-MNT
mnt-routes: BTNET-MNT
changed: (e-mail address removed) 20000921
changed: (e-mail address removed) 20010628
changed: (e-mail address removed) 20020907
source: RIPE

route: 213.120.0.0/14

descr: BT Public Internet Service
origin: AS2856
mnt-by: BTNET-MNT
changed: (e-mail address removed) 20021204
source: RIPE

role: BTnet Support
address: 154 St Albans Rd
address: Sandridge
address: St Albans
address: Hertfordshire
address: AL4 9NH
address: GB
phone: +44 1189 512313
e-mail: (e-mail address removed)
trouble: (e-mail address removed)
admin-c: FLS15-RIPE
tech-c: BS1474-RIPE
nic-hdl: BS1474-RIPE
remarks: For all queries contact (e-mail address removed)
mnt-by: BTNET-MNT
changed: (e-mail address removed) 20010613
changed: (e-mail address removed) 20011112
changed: (e-mail address removed) 20020430
source: RIPE

And your from address is

From: MickKi <[email protected]>

Worked it out yet?

Cheers,

Roy

 

[Robin T Cox]

C:\WINDOWS\System32\nzdd.dll

nzdd.dll = NetZip Download Demon, which is one of those Browser Helper
Objects with a mind of its own:
http://www.lib.umich.edu/electres/remote/knownprob.html

 

[David W. Hodgins]

PART 2
After rebooting I keep getting a little fellow trying to dial up! I
believe that this happens when I right-click on the Kerio icon in the tool
tray. The pop-up says something along the lines: "A program or you have
requested connection to 213.121.147.208" If I do not react the same pop-up
is replaced by 213.121.147.209. Both IP addresses seem to belong to BT
Public Internet Service (BT-MDIP). I have disabled Kerio from automatic
updates so I don't know what's causing it. Any ideas?

The log shows: "ICMP Destination Unreachable (Communication
Administratively Prohibited)", Direction: In
Remote Address: 213.121.147.209
Attack Class: misc-activity
Priority: Low
Action: permitted (this particularly worries me ;-)

The same entry has also been logged for 213.121.147.208.

PART 3
A quick check on HijackThis doesn't reveal much. A couple of entries I am
not sure about are:

O2 - BHO: (no name) - {--- binary code is written here ---} -
C:\WINDOWS\System32\nzdd.dll

Probably Net Zip Downloader Dll.

Adaware, or Spybot Search & Destroy should get rid of this.

See http://grc.com/downloaders.htm if you'd like more info
on it.

Regards, Dave Hodgins

 

[Robin T Cox]

C:\WINDOWS\System32\nzdd.dll

Further to my last post, see also:
http://editor.actrix.co.nz/byarticle/spyw.htm

 

[Duane Arnold]

Would anyone know if there's any way to find out what's trying to
"dial home"? It all seems to have started since I've installed Kerio
. . . BTW, I've switched off XP's firewall, because I've read that
Kerio conflicts with it.

Process Explorer (free use Google), Active Ports (free) and the XP's Audit
Process Tracking and Object Access (use Google on How to(s)) come to mind
and hopefully, the combinataion will help you pin point it.

Also, I remember reading here about a freeware which would prompt to
accept/deny cookies and scripts - but can't find its name. Kerio's
web content management seems to be an "on or off" affair.

I don't know about that one. I just tell IE to prompt or don't do it at all
on a lot of things. You may be using a different browser.

Duane

 

[Gabriele Neukam]

On that special day, MickKi,
([email protected]) said...

revealed that "PostNotCached
repost.html" was added to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs which I
promptly deleted.

I don't think that this entry can start anything at all. It is just like
one of the many "most recently used" memory caches, I believe, or rather
a Favourite addon. But it shouldn't be capable to start anything by
itself.


Gabriele Neukam

(e-mail address removed)

 

[MickKi]

Hi Roy,

213.121.147.209

[whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 213.121.147.0 - 213.121.147.255


netname: BT-MDIP
descr: BT-MDIP
country: GB
admin-c: BS1474-RIPE
tech-c: BS1474-RIPE
status: ASSIGNED PA
remarks: Please send abuse notification to (e-mail address removed)
mnt-by: BTNET-MNT
mnt-lower: BTNET-MNT
mnt-routes: BTNET-MNT
changed: (e-mail address removed) 20000921
changed: (e-mail address removed) 20010628
changed: (e-mail address removed) 20020907
source: RIPE

route: 213.120.0.0/14

descr: BT Public Internet Service
origin: AS2856
mnt-by: BTNET-MNT
changed: (e-mail address removed) 20021204
source: RIPE

role: BTnet Support
address: 154 St Albans Rd
address: Sandridge
address: St Albans
address: Hertfordshire
address: AL4 9NH
address: GB
phone: +44 1189 512313
e-mail: (e-mail address removed)
trouble: (e-mail address removed)
admin-c: FLS15-RIPE
tech-c: BS1474-RIPE
nic-hdl: BS1474-RIPE
remarks: For all queries contact (e-mail address removed)
mnt-by: BTNET-MNT
changed: (e-mail address removed) 20010613
changed: (e-mail address removed) 20011112
changed: (e-mail address removed) 20020430
source: RIPE

And your from address is

From: MickKi <[email protected]>

Worked it out yet?

Sorry Roy, I think I'm missing your point. What's my From: address got to
do with the above IP address?

Regards,

Mick

 

[MickKi]

Hi Roy,

Anyway, now it wants to dial out to 62.252.134.96 !!! This I think is the
NTLI Network Management Centre (whatever this might be).

Regards,

Mick

 

[MickKi]

Thank you All,

On that special day, MickKi,
([email protected]) said...


I don't think that this entry can start anything at all. It is just like
one of the many "most recently used" memory caches, I believe, or rather
a Favourite addon. But it shouldn't be capable to start anything by
itself.

Thank you all for your help. I used the Windows Audit Process Tracking
and Object Access and also downloaded the Process Explorer and ran this as
well. It seems that the Rasautou.exe fires up and tries to dial out.
That's the Remote Access Dialler. I think it is run by the Remote Access
Auto Connection Manager, which I've set up as a Manual service. Now, the
question is what on earth makes it do that? Hmm, can't tell yet, but
here's an interesting angle:

After I boot up nothing happens, despite the fact that the Remote Access
Auto Connection Manager has started. It all happens when I right click on
Kerio and select Configuration. Now, it's worth mentioning at this moment
that I (and it seems others also running Win XP) have not yet managed to
manually check for Kerio Updates (it comes back with an error). I have
additionally *deselected* Kerio's Automatic Updates setting. So, I can
only think that this remote access process is all to do with Kerio's
(buggy) update feature. If anyone knows better please let me know too.
Meanwhile, I have disabled the Remote Access Auto Connection Manager and
so given myself one more thing to reset when I'm running a local network.

On a different note, does anyone know how to uninstall Netzip (it is
indeed associated with the RealPlayer spyware - thanks for the link!).
It's not shown in Start/Control panel/Add-Remove programs.

Regards,

Mick

 

[optikl]

Also, I remember reading here about a freeware which would prompt to
accept/deny cookies and scripts - but can't find its name. Kerio's web
content management seems to be an "on or off" affair.

Regards,

Mick
--

There are a couple. AnalogX has one. Another can be found at Jason's
Toolbox. Do a google on these sites to get the correct URL's.

 

[Robin T Cox]

On a different note, does anyone know how to uninstall Netzip (it is
indeed associated with the RealPlayer spyware - thanks for the link!).
It's not shown in Start/Control panel/Add-Remove programs.

Use Spybot S&D. If you don't have it, there's a short tutorial and download
link here:
http://tomcoyote.org/SPYBOT/

After installing, press Online, and search for, put a check mark at, and
install all updates.

Fix everything SpybotSD labels in red.

Reboot, and then test your system. If your problem isn't gone (or if you're
unsure)-

Download 'Hijack This!'. http://www.tomcoyote.org/hjt/
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Press that, save the log, load it in Notepad, and copy its contents. Most
of what it lists will be harmless or even essential, don't fix anything
yet.

Then go to http://forums.spywareinfo.com/

Just sign in, or post as a guest,and go to the Spyware and Hijackware
Removal Support section. Press "new topic", explain your problem, and
copy and paste the contents of the Hijack This log into your new message.

 

[Roy]

Sorry Roy, I think I'm missing your point. What's my From: address got to
do with the above IP address?

Something on your PC, possibly legitimate, seems to be trying to connect
to your ISP. It's not uncommon for there to be this two way attempt at
communication, in my experience at least, but you shouldn't have to
allow it for your service to continue.

Tell your firewall to deny it, inwards as well as outwards, and observe
if anything stops working.

Run Regedit32 and search your registry for 213.121.147.* and see if
anything turns up, particularly under RAS Autodial. It should be safe
enough to delete any such entry, but the usual cautions apply, and
either save your registry before making any changes, or export that
hive, in case of cock ups.

I experienced something rather similar, not too long ago, which nearly
drove me to distraction while I tried to work out what was going on. I
could find nothing malicious, but it kept happening, but my firewall
was set to block it of course. After searching the registry using the
numbers, I located a perfectly legitimate RAS entry which had turned
rogue, and decided to 'dial out' on its own. I understand this is quite
well known.

Please understand that I claim no expertise, but my own experience may
prove helpful to you.

Cheers,

Roy

 

[MickKi]

Hi Roy,

Something on your PC, possibly legitimate, seems to be trying to connect
to your ISP. It's not uncommon for there to be this two way attempt at
communication, in my experience at least, but you shouldn't have to
allow it for your service to continue.

Thank you for your advice. Although bbinternet are an ISP and I do have
an account with them, which I use with my PDA, they are not related to BT
Internet. I use a different ISP to dial out with my PC and a search of my
registry for this IP address did not reveal anything. However, I've
uninstalled Kerio 4 and all my troubles have stopped! I think that the
current Kerio version is a bit buggy and still under development, but I am
looking forward to the finished product.

Meanwhile, I've decided to try out Outpost which seems to be pretty smooth
so far, at least you can see when it is trying to dial out. The only thing
is that I find the default settings are pretty slack for my liking.

Regards,

Mick