Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Programs Connecting To A Domain For No Reason


  • Please log in to reply
4 replies to this topic

#1 obiwonkanewbie

obiwonkanewbie

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 27 December 2006 - 06:49 AM

A while ago I noticed a recurring communication in my NIS 2003 web history log. I knew I had not knowingly visited the site but it was everywhere in the log. First I noticed "client.speedbit.com" repeated many dozens of times over a time period of a few days. SPEEDBIT.COM is the home of DAP or DownloadAcceleratorPlus and after I set up a security alert I could see that everytime I downloaded a file using DAP, DAP was sending something "Home". They claim "100% Spyware free" but it sure looks like it is not. Now this is where is gets interesting: I uninstalled DAP but the Firewall Rule I had created, "Block Speedbit.com" was stll getting hits. A few examples:
everytime I restart the computer, C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE and inetinfo.exe try to go to speedbit.com;
here is a list of processes:
C:\Program Files\Norton Internet Security\ccPxySvc.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.EXE
C:\WINDOWS\System32\svchost.EXE
C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\System32\msdtc.EXE
System
C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE
(not when FrontPage is started, but when I connect to a website)

It ia always one of these addresses:

client.speedbit.com or
reviews.speedbit.com or
ad9.speedbit.com or
www1.speedbit.com or
212.143.22.10 or
212.143.22.36 or
212.143.22.63 or
212.143.22.177

and TCP, UDP, ICMP (both ways)

Then I checked another computer here that had DAP installed and it is doing the same thing BUT....

another computer here that has NEVER had DAP installed is also "phoning home"!!

I have done many virus, spybot, adware and malware scans and found a few things but nothing has fixed or alleviated the problem. I have tried another security program, the CA Security suite and started getting blue screen crashes (in XP pro) and upgraded to newer versions of Norton Security and now I have extreme sluggishness and lockups..

Anyone seen or heard of this before?

ObiWonKaNewbie

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:28 PM

Posted 28 December 2006 - 06:15 PM

DAP is not technically malware, but it may deliver advertising pop ups, track your Internet usage and and allow malware into your system. Although you removed DAP, there still may be some related files and registry entries on your system.

After uninstall, did you delete its folder in C:\Program Files\DAP\ <- this folder
and clean out all your temp & temp Internet folders?

Those IP addresses resolve to NetVision Ltd

Netvision NOC team
Omega Building
MATAM industrial park
Haifa 31905
Israel

I have tried another security program, the CA Security suite and started getting blue screen crashes (in XP pro) and upgraded to newer versions of Norton Security

Are you saying you use two anti-virus programs now? The concern with using more than one anti-virus program is due to conflicts that can arise when both are running in real-time mode simultaneously. Anti-virus software componets insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their defintion databases are the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to "False Positives". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to seize the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetivite cycle of endless alerts that continually warn you that a virus has been found. Deciding which anti-virus solution to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 obiwonkanewbie

obiwonkanewbie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 02 January 2007 - 03:27 AM

Yes I guess DAP is not technically malware probably because they tell you in the license agreement, that they can use any information gathered from your computer in any way they want and you agree not to complain. Here is a short part of it:

...Any information or material submitted or sent to SpeedBit, will be deemed not to be confidential or secret. By submitting or sending documents, information or other material ("Material") to SpeedBit you (1) warrant that you have no rights of any kind to the Material; that to the best of your knowledge no other party has any rights to the Material; (2) grant SpeedBit an unrestricted, irrevocable license to use, reproduce, display, perform, modify, transmit and distribute the Material, and you further agree that SpeedBit is free to use any ideas, know-how, concepts or techniques you send us for any purpose....

I have seen others that are even worse.

Yes I think I have seen the name "Netvision" in whois lookups. And I also remember that it is in Israel.

No I am not running more than one Anti-Virus program. I was running 2 or 3 firewalls together (Norton 2003, Sygate and Windows XP FW) until recently. I never had any problems but then maybe I did and didn't know why. Now I just use one FW and one AV

And I have one machine here that is trying to communicate with speedbit.com that NEVER had DAP installed on it. That computer IS on the same home network.

I did a little research and found "speedbit.com" in the descriptions of several virus and worms. But my AV scans have not found a virus. Isn't there some way to find why a process tries to communicate with a certain address?? I would also like to know what is in the UDP and TCP packets.

Yes I did delete the DAP folder and when I did I found a renamed copy of the DAP EULA in the PROGRAM FILES directory!! When I uninstalled DAP, it left a copy OUTSIDE of the empty DAP folder and renamed it "licensecurrent.txt" It had the current date/time when uninstallong for "Date modified" so I am sure it was part of the uninstallation. That is kinda unusual.

Thanks
Tell me more, please!!

Obiwon

#4 buddy215

buddy215

  • Moderator
  • 13,090 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:28 PM

Posted 02 January 2007 - 06:56 AM

Here are a couple of things you might want to use to get rid of the remnants and stop the program from calling home.
http://windowsxp.mvps.org/MSICLEAN.htm
http://www.snapfiles.com/get/autoruns.html
--------------------------------------------------------------------------------

Since there is a good possibility of malware on your computer here is a link to one of the best antispyware/adware programs.
http://free.grisoft.com/doc/5390/lng/us/tpl/v5

--------------------------------------------------------------------------------

Of course, you could post a Hijack This log and let the experts help you by following the instructions in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 obiwonkanewbie

obiwonkanewbie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 05 January 2007 - 10:54 PM

hey Thank You
theres so many spy ware removal programs to choose from, I really appreciate recommendations!!
I have been thinking about posting my Hijack Log for this problem. I will try the others first (I already have autoruns) then do the Hijack Log even if I think I have it fixed.

Obiwon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users