Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Sketchy FTP access?

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Sketchy FTP access?

Reply to Message Icon

Name: problem user
Date: February 5, 2004 at 17:42:37 Pacific
OS: XP (SP1)
CPU/Ram: Athalon 2200, 512 Mb
Comment:

Im using Kerio and getting too many requests for ALG.exe to access port 21 on several remote IPs.

I have got ICS enabled on this box, but currently, this is the only box switched on, so the requests are not originating from my other machines.
ALG.EXE wants to connect to-
host81-152-28-20.range81.152.btcentralplus.com port 21
mail.baltispoon.ee port 21

Ive tried to find out whats happening, but these sites appear to be usage stats or something.

Ive got port 21 blocked at the moment, but just noticed in the log that its also rying to connect to-
213.168.2.181
212.87.29.74

I've run a full virus scan (NAV 2004 - latest virus defs), and its come up with nothing.
Ive run AdAware, and removed a couple of things.
Here's the Hijack this log-

Logfile of HijackThis v1.97.7
Scan saved at 01:19:19, on 06/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\GetRight\GETRIGHT.exe
C:\Program Files\GetRight\GETRIGHT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://panoramicit.com/safesearch/search_the_web.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.panoramicit.com/safesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.panoramicit.com/safesearch
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.freeserve.com/time/anytimereg_dialer/dialer/dialers/sd0101_4.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF31F06B-ED5A-43B1-92EE-09E8AC34C09E}: NameServer = 195.92.195.95 195.92.195.94


Is this some kind of trojan?
I think GetRight uses ALG.EXE? But nothing is downloading at the moment.

Any help much appreciated.



Sponsored Link
Ads by Google

Response Number 1
Name: suzi
Date: February 5, 2004 at 18:03:39 Pacific
Reply:

Here's some information about alg.exe:

"FILENAME: Alg.exe.
PROGRAM NAME: Application Layer Gateway.
DESCRIPTION: Part of Windows XP that provides support for ICS and Internet Connection Firewall (ICF).
RECOMMENDED ACTION: If a third-party firewall warns you that ALG.exe wants access, check to make sure you're not double-firewalled. If you are, disable ICF. If you are using neither ICF nor ICS and are warned that ALG.exe is trying to access the Net, deny it. A Trojan horse or worm may be trying to use it as a backdoor."

From here: http://www.pcmag.com/article2/0,4149,654619,00.asp

Do you have the XP firewall enabled in addition to Kerio? Check and if so, disable the XP firewall. You should not have two firewalls running at the same time.

Otherwise, run a trojan scan. I don't see anything that I recognize as bad in your log, but then I'm a novice. So hopefully someone else will check it also.


0

Response Number 2
Name: problem user
Date: February 5, 2004 at 18:30:45 Pacific
Reply:

cheers -
ive already checked that article
ive ran NAV 2004 with latest updates - found nothing
XP firewall is NOT running

i wouldnt normally worry but its an outbound FTP connection - why?


0

Response Number 3
Name: suzi
Date: February 5, 2004 at 18:45:18 Pacific
Reply:

NAV is good but it does not scan for all trojans.

There are several trojan removers that I see recommended here. TDS is one

http://tds.diamondcs.com.au/

I can't remember the others offhand.


0

Response Number 4
Name: Dog
Date: February 6, 2004 at 03:30:24 Pacific
Reply:

A google search resulted in this site

http://www.pcmag.com/article2/0,4149,654619,00.asp

on the VERY FIRST page of the search

HTH
D4


0

Response Number 5
Name: Dog
Date: February 6, 2004 at 03:32:58 Pacific
Reply:

Disregard last post. It seems my browser didn't load the full page and all I got to see was the original question, not the replies.

So Sorry

D4


0

Related Posts

See More



Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Sketchy FTP access?
Configuring FTP access in ISA serve www.computing.net/answers/security/configuring-ftp-access-in-isa-serve/21128.html

FTP access www.computing.net/answers/security/ftp-access/3373.html

virus alert!! www.computing.net/answers/security/virus-alert/6650.html