Strange IP keeps establishing

[DelJo63]

you obviously have an insecure system (ie you keep getting infected)
or you have not cleaned up the existing infection.

disconnect from the internet until you
1- get it cleaned
2- get your firewall running
3- get a good AV program

suggest you avoid p2p, Torrent access, MySpace et al.

There's some usage pattern here that is creating an environment conducive to
infections.

 

[enfuego]

the 207.x.x.x address is no longer connecting...

Now, I have this one constantly connecting:

208.50.192.248, resolving to host name as21357.akamai-07.fe5-0-0.ixnm.net

I will kill the connection with CurrPort and it will pop back up in 5-10 seconds.

Please advise!

 

[DelJo63]

this is ok as it is only a tracking cookie being set by the website you're visiting.

if you want to kill this (and many others) get ad-blocking software and/or
add this to your \windows\system32\drivers\etc\host file

127.0.0.1 .ixnm.net

the tip-off is akamai, a service used by websites

 

[enfuego]

this is ok as it is only a tracking cookie being set by the website you're visiting.

if you want to kill this (and many others) get ad-blocking software and/or
add this to your \windows\system32\drivers\etc\host file

127.0.0.1 .ixnm.net

the tip-off is akamai, a service used by websites

Just curious...should it be added exactly as above?...with the "dot" before the host name? Is a reboot required for the new host file to take effect?

 

[DelJo63]

yes add it literally

then get a command prompt (in an admin logon)

ipconfig /flushdns
net stop "DNS Client"
net start "DNS Client"
​

no reboot required

 

[enfuego]

yes add it literally

then get a command prompt (in an admin logon)

ipconfig /flushdns
net stop "DNS Client"
net start "DNS Client"
​

no reboot required

hmmmm...added it, and it's still connecting.

 

[Bobbye]

Back to the original IPs:
CustName: Akamai Technologies Inc.
Address: 8 Cambridge Center
City: Cambridge
StateProv: MA
PostalCode: 02142
Country: US
NetRange: 207.66.62.16 - 207.66.62.31

In short, Akamai Technologies, Inc. provides services and solutions for digital media distribution and storage, content and application delivery, application performance services, on demand managed services, and Web site intelligence.

Read 'ads'. Read 'calling home' To report abuse:
OrgAbuseEmail: abuse@osogrande.com

The IP is shared with Oso Grande Technologies, Inc.
Oso Grande Technologies is the most experienced internet company in New Mexico, providing DSL Internet services, leased lines T1 and above, colocation and ..........

Does that help you ID what's happening?

Source: Arin WhoIS Database.

 

[Blind Dragon]

A good way for managing startup programs without downloading additional software is through
Spybot S&D

• Download Spybot from HERE
• Go to Mode and select advanced.
• Expand tools in the left pane, then double click system startup
• Uncheck items that don't need to be started everytime you turn on your computer.(ie anything that says akamai) You will still be able to run these programs but they won't automatically load when you turn on your system.

If you want to see if you have the Nasty Virus type or the reputable files from the actual company (example below)

OK
hxxp://akamai.downloadv3.com/binaries/IA/dtc32_ES_XP.cab
or
hxxp://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab

NOT OK (dialer)
hxxp://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN_XP.cab

Please do the following
Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***

 

[enfuego]

A good way for managing startup programs without downloading additional software is through
Spybot S&D

• Download Spybot from HERE
• Go to Mode and select advanced.
• Expand tools in the left pane, then double click system startup
• Uncheck items that don't need to be started everytime you turn on your computer.(ie anything that says akamai) You will still be able to run these programs but they won't automatically load when you turn on your system.

If you want to see if you have the Nasty Virus type or the reputable files from the actual company (example below)

OK
hxxp://akamai.downloadv3.com/binaries/IA/dtc32_ES_XP.cab
or
hxxp://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab

NOT OK (dialer)
hxxp://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN_XP.cab

Please do the following
Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***

No files appearing from the company in SD but I'm attaching a startup log for kicks. I'm curious if crypt32chain might be suspicious? I'm also attaching the HJT log...thanks for looking.

 

[DelJo63]

sitation

crypt32chain.dll is a module belonging to the Crpytnet trojan and should be removed immediately

 

[Bobbye]

Always go to the source first to check:

Q."Spybot found crypt32chain in the crypt32.dll. It was set as a startup file."

A. "Re-enable that item> These are normal on xp and XP Pro "

Q. "crypt32chain the process being told to run by the crypt32.dll, and the crypt32chain.dll the Trojan?"

A. "If you would like more information search our forum for the term crypt32chain"

http://forums.spybot.info/showthread.php?t=2600

 

[enfuego]

Always go to the source first to check:

Q."Spybot found crypt32chain in the crypt32.dll. It was set as a startup file."

A. "Re-enable that item> These are normal on xp and XP Pro "

Q. "crypt32chain the process being told to run by the crypt32.dll, and the crypt32chain.dll the Trojan?"

A. "If you would like more information search our forum for the term crypt32chain"

http://forums.spybot.info/showthread.php?t=2600

crypt32chain appears to be a trojan...crypt32.dll is legit. crypt32chain uses the legit program in it's dirty work....

 

[Blind Dragon]

O4 - Startup: cports.exe.lnk = C:\Documents and Settings\HR\Desktop\Timesheet\cports\cports.exe

Do you know what this file goes with? I couldn't find a lot of information on it and the database I normally use it down for a bit.

crypt32chain appears to be a trojan...crypt32.dll is legit. crypt32chain uses the legit program in it's dirty work....

Those look normal to me

 

[enfuego]

O4 - Startup: cports.exe.lnk = C:\Documents and Settings\HR\Desktop\Timesheet\cports\cports.exe

Do you know what this file goes with? I couldn't find a lot of information on it and the database I normally use it down for a bit.

It's legit....currports by nirsoft used to monitor ports.

 

[DelJo63]

till does (and well I might add)

houseCall by trend micro creates a false positive however on Cports.exe
(it's a known issue)