Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Please Help: Possible RAT?

  1. #1
    riceorony Guest

    Default Please Help: Possible RAT?

    Hello to all!

    About a month ago, Webroot Spysweeper 5.5 blocked my normal MSN Live messenger from opening (even though I used it for months previous with no problems) by claiming Trojan-Phisher-Oito was trying to activate. So when i quarantined the file, my msnmsgr.exe file was obviously removed from it's normal folder. I therefore uninstalled the MSNLive and reinstalled it fresh from it's proper msn.com website.

    Every so often I run netstat.exe in order to determine ports connected to and so forth,

    I've noticed that somedays when I am using MSN Live messenger it will connect to the normal MSN servers in additon to a certain IP address that I've looked up on those websites that locate IP addresses that claims to be from California but pertains to "Ad-Base Systems Inc." that is located in Philly because it is 71.251.xxx.xx and the port changes each time I reload MSN.

    **Note: It doesn't always connect to the IP address from my port (which is usually 53065 or some large number port).

    I've scanned my computer with

    Webroot 5.5, Superantispyware, AVG Antispyware, updated 7.1.248 ZA internet security suite, trend micro 6.6 housecall, a-2 antispyware, and windows defender in normal windows and safe mode. All scans are clean.

    I actually have an external firewall as well as using ZA's software firewall from the security suite.

    My computer is running fine like normal, same boot-up time and shut down times, nothing strange out of the ordinary since I only use my computer for chatting (aim, msn), email, and some homework/essays.

    I also used www.grc.com to test for open ports (all my ports are stealthed) and also tested the leaktest which ZA notified me of a problem (so I passed).

    Someone please help, because I've had another computer hacked before 4 years ago and it was a very scary incident.

    Thanks

    Operating System:Windows Vista Home Premium
    Software Version:7.1 (Vista)
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    riceorony Guest

    Default Re: Please Help: Possible RAT?

    Oh, and I forgot to add that the port from my computer that becomes established changes with each load up of msnmsgr.exe

    I've also scanned with Counterspy v2, and my HijackThis! log looks clean like the day I first got the computer.

  3. #3
    riceorony Guest

    Default Re: Please Help: Possible RAT?

    Oh, and lastly:

    It only connects to 71.255.xxx.xxx whenever msnmsgr is open (sometimes). As soon as I exit msnmsgr.exe (e.g. close the program) all connections close and therefore I have 0 established connections according to netstat -a

    So therefore, do you guys believe the connection has to do with a legit MSN Live thing, or do you believe it's a remote access trojan that is only active while MSNLive is active/connected?

    The reason I'm confused is because I thought most RAT's leave a port open as soon as you connect to the internet, and would not simply be based on a messenger client connection.

    Let me note that it the connection formed with 71.255.xxx.xxx only occurs sometimes and not everytime MSN messenger is used (there is normally no ports open or listening)

  4. #4
    riceorony Guest

    Default Re: Please Help: Possible RAT?

    And the reason I know it's associated with MSN Messenger is because of the nice little program inside Windows Defender that shows which connections are due to certain programs.

  5. #5
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: Please Help: Possible RAT?


    <BLOCKQUOTE><HR>riceorony wrote:
    IP addresses that claims to be from California but pertains to "Ad-Base Systems Inc." that is located in Philly because it is 71.251.xxx.xx and the port changes each time I reload MSN.


    <HR></BLOCKQUOTE>Hi!probably simply the ads-banner within the MSN live window. Really nothing to worry about. And be careful in running all of those security applications, ZASS does not play nice with many of them.Next time post the entire IP to check the origin....Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  6. #6
    riceorony Guest

    Default Re: Please Help: Possible RAT?

    Thank you Guru!

    But how come AIM doesn't have the same ad-banner connections?

    Oh and all the other programs arnt running, I only use them for on-demand scanning.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Please Help: Possible RAT?


    <blockquote><hr>riceorony wrote:
    Thank you Guru!

    But how come AIM doesn't have the same ad-banner connections?

    Oh and all the other programs arnt running, I only use them for on-demand scanning.
    <hr></blockquote>


    Welcome to microsoft and it's partners! Now you know why there are ads.

    The Ad-Base is in the 64.x.x.x and under tucows (ms affiliate) and the 71.x.x.x is verizon - although likely this is a cached server(s).

    You could try blocking it in the Zones, although the messenger may actually fail.

    Oldsod

    (BTW I do not use any messengers).
    Best regards.
    oldsod

  8. #8
    riceorony Guest

    Default Re: Please Help: Possible RAT?

    The IP address is 71.251.77.255

    can someone tell me whether this is the culprit?

  9. #9
    riceorony Guest

    Default Re: Please Help: Possible RAT?

    ** Correction: It is 72.251.77.255

  10. #10
    naivemelody Guest

    Default Re: Please Help: Possible RAT?

    It looks like Webroot has a 'thing about LiveMessenger' - this has happended before. Please take a look at this -click here &gt; http://forums.zonelabs.org/zonelabs/...d=85338#M24623
    <hr>riceorony, you may wish to report this to Webroot Support as a 'possible false positive.'<hr>NaiveMelody NYC 3-4-08 - U Can't Touch This - M.C. Hammer

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •