1/30/2008 1:29:25 AM Added update.exe TCP 192.168.1.151:4931 207.66.62.23:80
1/30/2008 1:29:27 AM Removed update.exe TCP 192.168.1.151:4931 207.66.62.23:80
1/30/2008 2:09:09 AM Added svchost.exe TCP 192.168.1.151:4932 199.93.58.125:80
1/30/2008 2:09:11 AM Added svchost.exe TCP 192.168.1.151:4933 65.55.192.61:80
1/30/2008 2:09:17 AM Added svchost.exe TCP 192.168.1.151:4934 199.93.58.125:80
1/30/2008 2:09:17 AM Removed svchost.exe TCP 192.168.1.151:4932 199.93.58.125:80
1/30/2008 2:09:39 AM Removed svchost.exe TCP 192.168.1.151:4934 199.93.58.125:80
1/30/2008 2:09:47 AM Added svchost.exe TCP 192.168.1.151:4935 65.55.192.61:443
1/30/2008 2:09:55 AM Added svchost.exe TCP 192.168.1.151:4936 4.23.63.125:80
1/30/2008 2:10:09 AM Removed svchost.exe TCP 192.168.1.151:4936 4.23.63.125:80
1/30/2008 2:10:18 AM Removed svchost.exe TCP 192.168.1.151:4933 65.55.192.61:80
1/30/2008 2:11:06 AM Removed svchost.exe TCP 192.168.1.151:4935 65.55.192.61:443
1/30/2008 6:43:32 AM Added svchost.exe TCP 192.168.1.151:4937 198.78.223.125:80
1/30/2008 6:43:34 AM Added svchost.exe TCP 192.168.1.151:4938 65.55.184.61:80
1/30/2008 6:44:02 AM Removed svchost.exe TCP 192.168.1.151:4937 198.78.223.125:80
1/30/2008 6:44:04 AM Added svchost.exe TCP 192.168.1.151:4940 198.78.223.125:80
1/30/2008 6:44:04 AM Added svchost.exe TCP 192.168.1.151:4939 65.55.184.61:443
1/30/2008 6:44:32 AM Removed svchost.exe TCP 192.168.1.151:4940 198.78.223.125:80
1/30/2008 6:44:48 AM Removed svchost.exe TCP 192.168.1.151:4938 65.55.184.61:80
1/30/2008 6:45:12 AM Removed svchost.exe TCP 192.168.1.151:4939 65.55.184.61:443

Well, something called "update.exe" simply screams "MALWARE!" You should really take a look at the preliminary detection and removal guide.

The connections by svchost seem to be legit.. At least they don't point to some home users.

• The 3 IPs you originally listed 207.66.62.22, 207.66.62.23, 207.66.62.24 belong to Akamai Technologies based in Cambridge, AM.
• Akamai Technologies IP range (these fall into) 207.66.62.16 - 207.66.62.31 which are all hosted by ISP Oso Grande Technologies, Inc.

Look at Akamai's website. Ask IT if you use any of their products or they know of them. For that matter, why don't you run your problem by them? And if they're the ones maintaining the firewall seems it should be their problem as well.

The MS WGA 'calls home 1/24 hours' and

whois -H 65.55.192.61shows
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

svchost.exe performs several services for MS systems

svchost.exe -k NetworkService

svchost.exe -k LocalService

svchost.exe -k imgsvc

svchost.exe -k DcomLaunch

svchost.exe -k NetworkService

svchost.exe -k rpcss

the WGA runs as soon as the Internet is accessible after boot

Now I have a new IP popping up as persistently establishing...(along with the others above): 12.129.210.46

you obviously have an insecure system (ie you keep getting infected)
or you have not cleaned up the existing infection.

disconnect from the internet until you
1- get it cleaned
2- get your firewall running
3- get a good AV program

suggest you avoid p2p, Torrent access, MySpace et al.

There's some usage pattern here that is creating an environment conducive to
infections.

the 207.x.x.x address is no longer connecting...

Now, I have this one constantly connecting:

208.50.192.248, resolving to host name as21357.akamai-07.fe5-0-0.ixnm.net

I will kill the connection with CurrPort and it will pop back up in 5-10 seconds.

Please advise!

this is ok as it is only a tracking cookie being set by the website you're visiting.

if you want to kill this (and many others) get ad-blocking software and/or
add this to your \windows\system32\drivers\etc\host file

127.0.0.1 .ixnm.net

the tip-off is akamai, a service used by websites

Just curious...should it be added exactly as above?...with the "dot" before the host name? Is a reboot required for the new host file to take effect?

yes add it literally

then get a command prompt (in an admin logon)

ipconfig /flushdns
net stop "DNS Client"
net start "DNS Client"

no reboot required

hmmmm...added it, and it's still connecting.

A good way for managing startup programs without downloading additional software is through
Spybot S&D

• Download Spybot from HERE
• Go to Mode and select advanced.
• Expand tools in the left pane, then double click system startup
• Uncheck items that don't need to be started everytime you turn on your computer.(ie anything that says akamai) You will still be able to run these programs but they won't automatically load when you turn on your system.

If you want to see if you have the Nasty Virus type or the reputable files from the actual company (example below)

OK
hxxp://akamai.downloadv3.com/binaries/IA/dtc32_ES_XP.cab
or
hxxp://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab

NOT OK (dialer)
hxxp://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN_XP.cab

Please do the following
Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***

No files appearing from the company in SD but I'm attaching a startup log for kicks. I'm curious if crypt32chain might be suspicious? I'm also attaching the HJT log...thanks for looking.

sitation

Code:

crypt32chain.dll is a module belonging to the Crpytnet trojan and should be removed immediately

crypt32chain appears to be a trojan...crypt32.dll is legit. crypt32chain uses the legit program in it's dirty work....

O4 - Startup: cports.exe.lnk = C:\Documents and Settings\HR\Desktop\Timesheet\cports\cports.exe

Do you know what this file goes with? I couldn't find a lot of information on it and the database I normally use it down for a bit.

Those look normal to me

It's legit....currports by nirsoft used to monitor ports.

till does (and well I might add)

houseCall by trend micro creates a false positive however on Cports.exe
(it's a known issue)