|
I decided to run the new PCAUDIt 6.3 test and is so much nastyer than the old version
This apps try to connect to the _www.pcinternetpatrol.com with almost every program that is allowed in my firewall to connect to internet, The old version was easily blocked by removing explorer to have access to port 80 This new version iis way more tricky it used almost all my systray apps to try to connect from logitech mouseware to NOD32 !!! Luckly the good old sygate asked me about this app trying to connect and after blocking them all i got a good result If you have not run this version you should try !! Sony |
Thxs sony, my outpost fw failed me bigtime.
Guess its time i gave sysgate a try. |
Do you suppose there is some kind of trick here. If you don't open IE and type something the test will not procede.
Do you suppose PCAudit is simply gathering certain data and transmitting it over port 80, which would normally have to have access to the internet? What it seems to send is a directory listing of MyDocuments, key strokes of what was typed on the web page and an image of what was being viewed in IE 6, the computer name, user name and IP. No other directories are listed. I ran Steve Gibson's "LeakTest" and passed. The usual ports test passed as well. I don't well understand what is happening in the PCAudit 6.3 program, but it seems possible it could be a marketing trick, No? Anybody know how this little program works? |
It's a couple hours later and I installed Sygate to try it with PCAudit. THis time I opened a text editor and typed a couple letters and when Sygate asked if it could open IE, I said no. The data was still transmitted.
I hope some members more up on this subject can shed some light on this test, which is troubling. btw, the Sygate security test shows that the Sygate's web site is unable to obtain any info at all from the pc in question, other than the ip |
I just type some letters in notepad and the test was failed :blink:
I use Sygate. |
Also here is everything this app sends over the net.
cya, Will |
Still reading and digesting all this. But. Just for the record, I unintalled McAfee Firewall, Installed Zone Alarm "latest edition", uninstalled, then installed Sygate (latgest edition). Nothing stopped this "thing".
:) |
Quote:
|
good job at explaining everything war
I was to lazy when i posted didn't even look at my setting cause sygate passed for me first time (i have dll on) tested without and it fails Sony |
war, thanks for taking the time to explain this to me. I learned a lot after spinning my wheels for several hours and trying various firewalls. Really appreciate the lesson in security.
|
------meanwhile, a couple hours later-----------
Sony's thread about PCAudi and War's explanation were a wake up call for me. In going thru the paces, I installed x-NetStat 5.1 and found a curious connection from the other pc on my LAN. Hostname: moscow.eau.wi.charter.com This didn't show up in Sygate (latest version, set to DLL Authentification, but showed up in x-NetStat with the IP of the other pc on this LAN. I ran AdAware, Trojan Remove, Kaspersky AV 5 and nothing showed up. Finally I did a search of the registry with Registry Crawler and found moscow.eau, etc. two places in the Registry along with some other moscow things. At that point I deleted all the cookies in IE6 (there were a lot)and then the registry entries disappeared. I don't know what to make of it. Anyway, things are tighter here now, thanks to the Sony's thread. |
Quote:
I found the same entry on my pc (see screenshot) The weird thing is that show my internal IP with that host name!!! I need to ivestigate this , now you got me worried If you find more information please let me know it's time to bed here so I will have to do my homework tomorrow morning about moscow.eau.wi.charter.com Sony |
Wow. Really weird. Your screen shot is exactly like mine.
I thougtht it gone after a total cookie and registy clean up, but this evening that same thing logged on. With x-NetSTat I was able to kick it off, but Sygate isn't doing anything. The saga continues. :) |
Try Ethereal for more info. ;)
BTW: Quote:
Quote:
|
Quote:
I still don't get why my internal IP is associate with that domain ? |
Quote:
Is that not your host name? If it is then it just got it by resolving your internet ip address (Reverse DNS) and just told u your lan ip address instead. If not then some program is messing with your dns server and assigning a host name to your lan ip for whatever reason. Or you isp did or whatever... |
war:
Quote:
What is a reasonable explanation to the "moscow" part of the ip? Is that one of the web sites that is hosted by charter.com? I noticed that moscow demands a login to their website. This thread is too confusing to me. The only conclusion I have done so far is that I should have a separate box for my www adventures. There I should start fresh every session by using a ghosted image of a clean install. Or a deep freezed version. Gonna check theese options. A separate box may be just the right thing, then I can have my computer where I really work clean and nice. This is getting crazy. Do I want to live in such a world? Of course I do (the option seems boring) but I don't really want to spend half of my time to different security precautions. Thanks to all that contributed here, |
I found the moscow thing on there again a bit ago.
There are quite a few articles around about IIS. I don't understand this problem yet. :( |
oh my bad...i was just kidding...i just men IIS is a pos and there are so many security issues....thats all... srry for the confusion...
lol Um yeah I would say that a charter isp ip address....is that your ISP? if not yeah something is going on... |
Um moscow.eau.wi.charter.com?
Site does not even exist it seems? At least not http. Quote:
|
Quote:
Not at all is not my ISP!!!! My internal IP is assigned automatically by my hardware rounter wich make it even more strange that is show as that. I use a linksys wtr 54g router ....... and a alcatel speedtouch dsl modem rikytik what hardware do you use? |
My router is the same model as yours Sony. I don't use Charter either and am connected by cable.
The appearance of the mosow.eau connection also reflects the internal 192.168.101 ip apparently generated by the router. The connection seems to be PC#1 connecting to PC#2 Both are hardwired to the router. It is on PC#1 that I found the moscow entries in the registry using Registry Crawler. None of my scanning stuff found them. I did a whole sale reg clean and in poking around found about 4,000 directories in HKEY_USERS\S-1-5-21-2025429265-1580436667-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\ZoneMap\Domains\ that relate to mostly pop up and other spyware type connections that happened over the past year or two. Those directories appear to be void of any useful data, probably due to the registry cleaner (Registry Medic 3). It removed 100+ entries. But those thousands of directories are still there. Just trying to figure my next step. Haven't rulled out a clean install and start fresh with a new attitude about security. |
hmmm i searched everywhere my regestry and i only found the entry from xstat nothing else.
I'm really confused about this one ....i run every possible virus and trojan scanner that i know of most of the spyware tools and nothing is found on my system I even passed the bloody test that i posted in this thread. I alwasy been extra carefull with my system security .........i'm thinking that xstat is somehow detecting the ndisuio.sys used by linksys router as that but i'm not really sure............. If you find more info let me know I will do the same Sony |
Yes, occurred to me also it is curious that this is happening with two same model Linksys routers.
I am going to restore this machine to a much earlier image and see what I find there, then decide about a clean install. Hmm. We'll see. I'll be following this thread! :) |
Sony, one observation. I notice in your screen shot that the "Process" is Firefox.exe.
The 3 instances where I copied the connection info, all mine were "System". Not sure what that means. |
Quote:
yeah i have system too everything that i double click in xstats show as moscow with my internal IP wondering if it's just a problem with x netstat and our hardware... i really like to test a different software and see |
I have been think it is PC#1, but I just found this in the registry of PC#2
I'm wondering if this is simply part of x-netstat |
A better view of the registry tree relating to preceeding screen shot. You think we've been chasing our tail on this one?
|
Quote:
I think is part of the DNS cache of xnetstats if you open xnetstats and go to tools > option click on edit DNS cache you will notice that in the cache internal IP is equal to the freaking moscow name close the dns cache still in option click on clear dns cache close xnetstat restart it now your internal IP should show your computer name !!!! yayay |
Off-topic now, put here just to make it clear.
Quote:
|
You are a genius, Sony. Man, did that ever cause me a lot of worry. Well, all part of the game and I sure learned a lot of things. Very enriching thread you started, Sony. :)
Thanks for the data, unicorn. The big concern I had was why was this connection showing up on my pc. Thanks for your help. And war, too. Great thread. |
I'm glad we have it sorted.
I was pulling my hair for a few hrs on this one Once i run every possiblescan on my sytem i decided that i needed to look in the xnetstat cause the chance of my pc be infected are not that big (i like to belive so anyway.......) Now i have different problem that i need to solve........ but i might start a new thread. Take care buddy and everyone that contributed to this thread Sony |
I just did this test and failed misrebly. I have McAfee Personal Firewall Plus, and McAfee viruscan Enterprise 8.1i running also .. This i behind a router .. Man what a shake up.
I wonder what I could do to fix that .. When the test was done it lead me to a page that showed the page I was on, it had a photo of my desktop. everything was there. It had the name of my pc, my ip address, my my docs folder list and so on - It even had my favorites list !! ... This is pathedic. ... |
Hmm .. It seems to be a test of things going out - not coming in. SO if you think about it and you are behind a router or a software firewall. If some tried to get in they wouldn't be able to. This only explain in better detail why I insist on having a soft firewall along side the router ..
|
What the disclaimer "forgot" to tell you,is that the windows/system32 .dll they used tries to connect 1 last time AFTER you ran the test and closed the pcaudit program.......which possibly means:
if you login somewhere with a real user/pass,it's possible that this info is transmitted :blink: |
All this is interesting , I didn't run the file , it's detected as Spyware and , that is enough for me to not run it.
So how is it fixable , the vunerability I mean? I suppose any software that had it incorporated would be detected by scanners anyway. So what's the worry? |
Quote:
|
With NAV 2005
Source: C:\Documents and Settings\Me\Desktop\pcaudit.exe Description: The file C:\Documents and Settings\Me\Desktop\pcaudit.exe is a Spyware threat. Click for more information about this threat : link Spyware.Pcaudit |
So PCAudit is a gloryfied Keylogger, at least it helped patch the .dll hole.
@ .Unicorn if you want to browse cleanly everey time, why not just pop in linspire live cd it takes a couple of minutes to boot, but most everything is done with a RAM disk (I belive, My understanding is it is Like surfing in a PE enviroment and you can always save pages as favorites then export favorites to a Flash disk or USB disk, for revisisting later. Just food for thought. |
Quote:
|
| All times are GMT +1. The time now is 10:11 AM. |
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.