Hi, please can someone throw some light on this. I have windows 2000 Server running using no-ip. I have picked up outgoing traffic on my PC going to sites like pepsi, www.sony.com, www.att.com, geocities.yahoo.com, www.icq.com, www.download.com, www.mcdonalds.com, www.apple.com. All outgoing is to their port 80 and is coming from DUC20.exe the program used by no-ip to update my IP address onto their servers. One site is hit every 10 mins. There are two other PC’s sharing the connection using Sygate. These now have up to date Network Associates McAfee VirusScan. I have ran full scans of ALL files compressed files etc. I am connected to my neighbours Network as well. I am running IIS and SQL Server 7.0 on the server. I am using Symantec Client Firewall which is NOW up to date with patches and signatures. All ports are closed by default and I open them up as required. I am currently reviewing all the processes and services running. I am using Network Associates Netshield and is NOW up to date. I was using Symantec Norton Anti Virus which was not up to date. The server is up to date with Patches from Microsoft. I am no expert at this stuff and have performed the following so far: Ensured all virus checker are up-to-date Ran Ad-Aware 6.0 on all 3 pc’s and removed mainly cookies and Deleted duc20.exe (problem stops) and re-install the latest version of it from download.com (problem starts again). Exited duc20.exe – problem stops. Rename duc20.exe and ran it. Problem reported from the renamed file. Here are some of the firewall logs: Connections made. I have included some of the activity around the DUC20 communication especially dns.exe and services.exe as they always occur straight after DUC20 transmits. 01/12/2003 18:45 Supervisor Rule "Default Inbound NetBIOS Name" blocked (81.128.187.188,netbios-ns(137)). Details: Inbound UDP packet Local address,service is (81.128.187.188,netbios-ns(137)) Remote address,service is (200.65.188.174,1027) Process name is "N/A" 01/12/2003 18:45 Supervisor Rule "Default Inbound NetBIOS" blocked (192.168.0.255,netbios-dgm(138)). Details: Inbound UDP packet Local address,service is (192.168.0.255,netbios-dgm(138)) Remote address,service is (192.168.0.1,netbios-dgm(138)) Process name is "N/A" ************************ 01/12/2003 18:45 Supervisor Rule "Browse the Web" permitted (www.yahoo.com(216.109.118.77),http(80)). Details: Outbound TCP connection Local address,service is (localhost,2268) Remote address,service is (www.yahoo.com(216.109.118.77),http(80)) Process name is "D:\Program Files\No-IP\DUC20.exe" 01/12/2003 18:45 Supervisor Rule "Default Outbound DNS" permitted (63.241.199.50,domain(53)). Details: Outbound UDP packet Local address,service is (0.0.0.0,1028) Remote address,service is (63.241.199.50,domain(53)) Process name is "D:\WINNT\System32\dns.exe" 01/12/2003 18:45 Supervisor Rule "Default Outbound DNS" permitted (localhost,domain(53)). Details: Outbound UDP packet Local address,service is (0.0.0.0,2267) Remote address,service is (localhost,domain(53)) Process name is "D:\WINNT\system32\services.exe" ************************ 01/12/2003 18:45 Supervisor Rule "Default Inbound NetBIOS Name" blocked (192.168.0.255,netbios-ns(137)). Details: Inbound UDP packet Local address,service is (192.168.0.255,netbios-ns(137)) Remote address,service is (platinum(192.168.0.67),netbios-ns(137)) Process name is "N/A" 01/12/2003 18:45 Supervisor Rule "Default Inbound NetBIOS Name" blocked (192.168.0.255,netbios-ns(137)). Details: Inbound UDP packet Local address,service is (192.168.0.255,netbios-ns(137)) Remote address,service is (192.168.0.1,netbios-ns(137)) Process name is "N/A" 01/12/2003 18:44 Supervisor Rule "Default Inbound ICMP" blocked (81.128.178.228,8). Details: Inbound ICMP request Local address is (81.128.187.188) Remote address is (81.128.178.228) Message type is "Echo Request" Process name is "N/A" The connection Log… 01/12/2003 18:46 Supervisor Connection: 192.168.0.40: netbios-ssn(139) from platinum(192.168.0.67): 2252, 72 bytes sent, 637 bytes received, 1:08.057 elapsed time 01/12/2003 18:45 Supervisor Connection: www.yahoo.com(216.109.118.77): http(80) from 81.128.187.188: 2269, 161 bytes sent, 35315 bytes received, 0.941 elapsed time 01/12/2003 18:45 Supervisor Connection: localhost: 2268 to localhost: 1034, 35315 bytes sent, 271 bytes received, 1.121 elapsed time 01/12/2003 18:45 Supervisor Redirected Connection: localhost: 1034 from localhost: 2268, 161 bytes sent, 35315 bytes received, 1.121 elapsed time 01/12/2003 18:42 Supervisor Connection: 192.168.0.39: 3414 to platinum(192.168.0.67): http(80), 22969 bytes sent, 2346 bytes received, 1:04.292 elapsed time 01/12/2003 18:42 Supervisor Connection: 192.168.0.39: 3412 to platinum(192.168.0.67): http(80), 46920 bytes sent, 3117 bytes received, 1:05.544 elapsed time And the Hijack log... Logfile of HijackThis v1.97.7 Scan saved at 13:12, on 03/12/2003 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\spoolsv.exe D:\WINNT\System32\svchost.exe D:\WINNT\System32\llssrv.exe D:\Program Files\Network Associates\NetShield 2000\Mcshield.exe d:\PROGRA~1\sql7\binn\sqlservr.exe D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.exe D:\WINNT\system32\regsvc.exe D:\WINNT\System32\tcpsvcs.exe D:\WINNT\System32\snmp.exe D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe D:\WINNT\System32\svchost.exe D:\WINNT\System32\WBEM\WinMgmt.exe D:\WINNT\System32\mspmspsv.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\Dfssvc.exe D:\WINNT\System32\dns.exe D:\WINNT\System32\inetsrv\inetinfo.exe D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.exe D:\WINNT\system32\devldr32.exe D:\Program Files\Sygate\SHN\sgserv.exe D:\WINNT\Explorer.exe D:\WINNT\system32\devldr32.exe D:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.exe D:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe D:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe D:\WINNT\System32\spool\drivers\w32x86\3\hpztsb02.exe D:\Program Files\Sygate\SHN\Sygate.exe D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe D:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.exe D:\WINNT\system32\atiptaxx.exe D:\Program Files\Network Associates\NetShield 2000\SHSTAT.exe D:\WINNT\system32\internat.exe D:\Program Files\sql7\Binn\sqlmangr.exe D:\WINNT\System32\mdm.exe D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.exe D:\WINNT\System32\svchost.exe D:\Program Files\No-IP\DUC20.exe D:\WINNT\system32\wuauclt.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Pre-install\HiJackThis\HijackThis.exe O1 - Hosts file is located at: D:\WINNT\System32\drivers\etc\hosts O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [UpdReg] D:\WINNT\Updreg.exe O4 - HKLM\..\Run: [Creative Launcher] D:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\System32\spool\drivers\w32x86\3\hpztsb02.exe O4 - HKLM\..\Run: [SyGateManager] D:\Program Files\Sygate\SHN\Sygate.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [MMTray] D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [iamapp] D:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\NetShield 2000\SHSTAT.exe" /STANDALONE O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: No-IP DUC.lnk = D:\Program Files\No-IP\DUC20.exe O4 - Global Startup: Service Manager.lnk = D:\Program Files\sql7\Binn\sqlmangr.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30df0d099fd1984d5b23/netzip/RdxIE601.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{168CAE1F-FC10-41BE-B7C1-5A35A16CD263}: NameServer = 213.120.62.97 213.120.62.98 O17 - HKLM\System\CCS\Services\Tcpip\..\{29EC6539-4633-43D3-971E-B6108C15D727}: NameServer = 127.0.0.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{168CAE1F-FC10-41BE-B7C1-5A35A16CD263}: NameServer = 213.120.62.97 213.120.62.98 Please can someone throw some light on this or point me in some kind of direction, Cheers

"All outgoing is to their port 80 and is coming from DUC20.exe the program used by no-ip to update my IP address onto their servers." Sounds like your program is doing its job - a little too well...and telling everybody... So what's the problem? heh heh By the way, you might want to shut down Creative's registration reminder.... O4 - HKLM\..\Run:[UpdReg]D:\WINNT\Updreg.exe wonder if that goes out every 10 mins.? Certainly this goes out regularly...it's their news update system....yeehah ! D:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe I reckon that one will shut it down. Maybe do them separately and find out. Reboot. and also O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot and whack this one on the head... O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30df0d099fd1984d5b23/netzip/RdxIE601.cab reboot. http://www.answersthatwork.com/Tasklist_pages/tasklist_n.htm Not really trojan or virus, more like marketing scumware. Ice could you repost after and I'll check it (late night here)

Ice, cheers, sorry about late reply, things got rather busy. Mailed No-IP this is their response that explains it. Thanks for the extra info, will be tidying them up. Ta verty much... ... When the keep alive option is checked on the DUC, the client will from time to time request a popular site. This is done to generate a small amount of traffic to keep the connection alive and to also verify the connection to the internet. If you disable the keep alive option the client will stop doing this. ... Cheers,