Results 1 to 10 of 10

Thread: I think spam sites are trying to connect to me help please...

  1. #1
    gamemaster Guest

    Default I think spam sites are trying to connect to me help please...

    I'm new to here because I just installed ZoneAlarm today because SUPERANTISPYWARE found 24 pieces of spyware on my computer, even though it removed it, ZoneAlarm keeps throwing alerts at me over and over that 89.140.42.129.static.user.ono.com and 222.215.230.49 (from China), and 90.223.76 also from China, keep trying to connect to my computer. I don't know how to make them stop, any help would be GREATLY appreciated, as I am running out of ideas on what to do...

    Operating System:Windows Vista Home Premium
    Product Name:ZoneAlarm (Free)

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: I think spam sites are trying to connect to me help please...

    Whois Server Version 2.0

    Domain names in the .com and .net domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.
    Domain Name: ONO.COM
    Registrar: NOMINALIA INTERNET S.L.
    Whois Server: whois.nominalia.com
    Referral URL: http://www.nominalia.com
    Name Server: DNS01.ONO.COM
    Name Server: DNS02.ONO.COM
    Name Server: DNS03.ONO.COM
    Status: ok
    Updated Date: 11-dec-2008
    Creation Date: 02-aug-1995
    Expiration Date: 14-dec-2009

    >>> Last update of whois database: Sat, 27 Jun 2009 18:44:54 UTC <<<

    NOTICE: The expiration date displayed in this record is the date the
    registrar's sponsorship of the domain name registration in the registry is
    currently set to expire. This date does not necessarily reflect the expiration
    date of the domain name registrant's agreement with the sponsoring
    registrar. Users may consult the sponsoring registrar's Whois database to
    view the registrar's reported date of expiration for this registration.

    TERMS OF USE: You are not authorized to access or query our Whois
    database through the use of electronic processes that are high-volume and
    automated except as reasonably necessary to register domain names or
    modify existing registrations; the Data in VeriSign Global Registry
    Services' ("VeriSign") Whois database is provided by VeriSign for
    information purposes only, and to assist persons in obtaining information
    about or related to a domain name registration record. VeriSign does not
    guarantee its accuracy. By submitting a Whois query, you agree to abide
    by the following terms of use: You agree that you may use this Data only
    for lawful purposes and that under no circumstances will you use this Data
    to: (1) allow, enable, or otherwise support the transmission of mass
    unsolicited, commercial advertising or solicitations via e-mail, telephone,
    or facsimile; or (2) enable high volume, automated, electronic processes
    that apply to VeriSign (or its computer systems). The compilation,
    repackaging, dissemination or other use of this Data is expressly
    prohibited without the prior written consent of VeriSign. You agree not to
    use electronic processes that are automated and high-volume to access or
    query the Whois database except as reasonably necessary to register
    domain names or modify existing registrations. VeriSign reserves the right
    to restrict your access to the Whois database in its sole discretion to ensure
    operational stability. VeriSign may restrict or terminate your access to the
    Whois database for failure to abide by these terms of use. VeriSign
    reserves the right to modify these terms at any time.

    The Registry database contains ONLY .COM, .NET, .EDU domains and
    Registrars.[Querying whois-ita.nominalia.com]
    [whois-ita.nominalia.com]

    NOMINALIA INTERNET S.L. - Whois Server Version 1.4

    The Registry database contains ONLY .COM, .NET and .ORG domains.

    Domain name: ONO.COM
    Created on: 2008-01-17
    Updated on: 2008-12-11
    Expires on: 2009-12-14
    Registrant Name: CABLEUROPA SA
    Contact: Cableuropa SA
    Registrant Address: C\ Basauri, 7
    Registrant City: Aravaca
    Registrant Postal Code: 28023
    Registrant Country: ES
    Administrative Contact Organization: Cableuropa S.A
    Administrative Contact Name: Nicolas Chapa null
    Administrative Contact Address: Basauri 7-9 Urbanizacion La Florida
    Administrative Contact City: Aravaca
    Administrative Contact Postal Code: 28023
    Administrative Contact Country: ES
    Administrative Contact Email: dominios@ono.es
    Administrative Contact Tel: +34 911809300
    Administrative Contact Fax: +34 911809600
    Technical Contact Organization: Cableuropa S.A
    Technical Contact Name:
    Technical Contact Address: Basauri 7,9-Urbanizacion La Florida
    Technical Contact City: Aravaca
    Technical Contact Postal Code: 28023
    Technical Contact Country: ES
    Technical Contact Email: dominios@ono.es
    Technical Contact Phone: +34 911809300
    Technical Contact Fax: +34 911809600
    Primary Name Server Hostname: DNS01.ONO.COM
    Secondary Name Server Hostname: DNS03.ONO.COM

    ------------------------------------------------------------------------------------------------------
    ------------------------------------------------------------------------------------------------------
    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 222.208.0.0 - 222.215.255.255
    netname: CHINANET-SC
    descr: CHINANET Sichuan province network
    descr: China Telecom
    descr: A12,Xin-Jie-Kou-Wai Street
    descr: Beijing 100088
    country: CN
    admin-c: CH93-AP
    tech-c: CS408-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CHINANET-SC
    mnt-routes: MAINT-CHINANET-SC
    status: ALLOCATED PORTABLE
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks: This object can only be updated by APNIC hostmasters.
    remarks: To update this object, please contact APNIC
    remarks: hostmasters and include your organisation's account
    remarks: name in the subject line.
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    changed: hm-changed@apnic.net 20040317
    source: APNIC

    role: CHINANET SICHUAN
    address: No.72,Wen Miao Qian Str Chengdu SiChuan PR China
    country: CN
    phone: +86-28-86190657
    fax-no: +86-25-86190641
    e-mail: ipadmin@my-public.sc.cninfo.net
    trouble: send anti-spam reports to anti-spam@mail.sc.cninfo.net
    trouble: send abuse reports to security@mail.sc.cninfo.net
    trouble: times in GMT+8
    admin-c: YZ43-AP
    tech-c: RL357-AP
    tech-c: XS16-AP
    nic-hdl: CS408-AP
    remarks: noc.cd.sc.cn
    notify: ipadmin@my-public.sc.cninfo.net
    mnt-by: MAINT-CHINANET-SC
    changed: zhangys@mail.sc.cninfo.net 20030318
    source: APNIC

    person: Chinanet Hostmaster
    nic-hdl: CH93-AP
    e-mail: anti-spam@ns.chinanet.cn.net
    address: No.31 ,jingrong street,beijing
    address: 100032
    phone: +86-10-58501724
    fax-no: +86-10-58501724
    country: CN
    changed: dingsy@cndata.com 20070416
    mnt-by: MAINT-CHINANET
    source: APNIC


    -------------------------------------------------------------------------------
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Note: This output has been filtered.
    % To receive output for a database update, use the "-B" flag.

    % Information related to '90.223.0.0 - 90.223.127.255'

    inetnum: 90.223.0.0 - 90.223.127.255
    netname: SNS-INF-ADR
    descr: SNS Addresses
    descr: BSkyB Broadband
    country: GB
    admin-c: BBH-RIPE
    tech-c: BBH-RIPE
    status: ASSIGNED PA
    remarks: Please send abuse notification to abuse@sky.com
    remarks: INFRA-AW
    mnt-by: BSKYB-BROADBAND-MNT
    source: RIPE # Filtered

    role: BSkyB Broadband Hostmaster
    address: Sky Network Services
    address: 1 Brick Lane
    address: London
    address: E1 6PU
    address: England
    address: GB
    phone: +44 207 032 7000
    fax-no: +44 207 900 7812
    admin-c: KB533-RIPE
    admin-c: PPD-RIPE
    tech-c: PPD-RIPE
    tech-c: JS2116-RIPE
    nic-hdl: BBH-RIPE
    abuse-mailbox: abuse@sky.com
    mnt-by: BSKYB-BROADBAND-MNT
    source: RIPE # Filtered

    % Information related to '90.192.0.0/11AS4589'

    route: 90.192.0.0/11
    descr: BSkyB Broadband
    origin: AS4589
    mnt-by: BSKYB-BROADBAND-MNT
    source: RIPE # Filtered



    >>> Last update of whois database: Sat Jun 27 18:49:13 2009 <<<

    ------------------------------------------------------------------------------

    Okay, one is from china and one from europe and one from the U.S.

    Just some details needed first... is there a router or nat type modem (some type of hardware firewall) in front of the computer and between the internet? do any P2P or file sharing? what kind of infections were removed by the spyware scanner? got an antivirus installed (not spyware scanner but a proper antivirus scanner) and performed a full antivirus scan for further detections and removals?

    The ZA is blocking these unwanted incoming connections so you are safe from these anyways, but have you checked the fire log logs in the ZA's Log Viewer to see if these connections began first from your computer? If these did start from your computer, then there has to be a good reason why or else these could be considered possible malware attempts. The Log in the ZA would reveal this information.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    gamemaster Guest

    Default Re: I think spam sites are trying to connect to me help please...

    Last night, SUPERANTISPYWARE got rid of 5 instances of Browser Hijacker.Deskbar, and 19 instances of Adware.HBHelper. This was BEFORE I installed ZoneAlarm and noticed the spam sites, being blocked.

    I have Avira AntiVir Premium, and it found no new infections, same with malwarebytes, and **bleep** scans.

    In the ZA Logs the spam sites are blocked INCOMING connections, and all of the OUTGOING are my own locations, and a few other US ones, is this normal?

    Thanks.

    Message Edited by Gamemaster on 06-27-2009 12:16 PM

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: I think spam sites are trying to connect to me help please...

    Very normal.
    But where are your outgoing connections going to...do these destinations seem normal or usual?
    You got a router or hardware firewall in front of the computer?
    Did an antivirus scan yet (there are lots of good free scanners)?

    Oldsod.
    Best regards.
    oldsod

  5. #5
    gamemaster Guest

    Default Re: I think spam sites are trying to connect to me help please...

    My Outgoing connections I believe were trying to connect to my other computer, because I have printer sharing enabled.

    Also, I added more information to my previous post, can you go back to it please, thanks. Here is the link: http://forum.zonelabs.org/zonelabs/b...ssage.id=57268

    Message Edited by Gamemaster on 06-27-2009 12:18 PM

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: I think spam sites are trying to connect to me help please...

    Ah thank you for the updated information.

    okay ...it would not be unusual for the previous infection to have made unwanted outgoing connections to their home servers to gets more malware to download and install into your computer; or just to get more info or what to find out what ads to show in your browser (as in the case of a BHO .dll by the Adware.HBHelper).
    In which case, these malware servers already had been contacted by the previously removed adware and even though the adware is removed from your computer, these malware servers have already seen your IP/operating system/details, so they will still try to connect to your computer.

    Probably it is a good idea to get a nice and cheap router in front of the computer and let the hardware firewall 'silently' drop these unwanted connection. This way they will never reach the computer or the ZA firewall. Just basically use the ZA for outgoing protection and maybe for some local area network protections.


    I really can not say exactly unless I see the logs (found in the windows\internet logs folder labeled fwpktlog.txt and ZALog.txt).
    Oldsod.
    Best regards.
    oldsod

  7. #7
    gamemaster Guest

    Default Re: I think spam sites are trying to connect to me help please...

    Quick question, if I were to wipe my hard drive and start with a fresh install of windows, will this help at all?

    Also, it seems that the spam sites are only trying to connect once which I think is a good thing?

    Thanks,
    Mike

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: I think spam sites are trying to connect to me help please...

    Mike doing a reformat and reinstall would not stop the malware sites from attempting to connect.
    They will regardlessly still try - but you are safe as the firewall still stops their attempts - anyways.
    They should stop trying after a few days or a couple of weeks; once they realise their malware is gone and there are not any replies to their attempts.

    Often there is a lot of 'internet' noise from servers - unwanted connections attempts.
    Not just from servers from malware infections, but often from legitimate servers just doing their usual activities over the internet.
    Usually a hardware router will 'quiet' things down and keep those unwanted connections from seeing your computer.

    Oldsod.
    Best regards.
    oldsod

  9. #9
    gamemaster Guest

    Default Re: I think spam sites are trying to connect to me help please...

    Thanks for all your help, I will look into getting a hardware router.

    -Mike

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: I think spam sites are trying to connect to me help please...

    You are welcome.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •