virus using port 6667

virus

    Sponsored Links

    Next

  • 1. My computer running xp thinks its a MAC
    Everytime I try to update my windows xp home edition it takes me to a Mac site. IT is like my computer thinks its a MAC? What is going on?> I get the same message everytime about me using a MAC>
  • 2. optimiser
    how can i get rid of this programme i click remove from my control panel but nothing happens
  • 3. Report a virus?
    Just got an e-mail purportedly from Microsoft that contained an infected attachment (removed by NAV). Just wondering if Microsoft should be notified and if so, how? (Sorry if it's a dumb question, but I'm relatively new at this.)Can't find a related link on Microsoft's support page. But if users don't report viruses, how does MS find out and provide a patch? Thanks, Sandy
  • 4. disable NIS2004 during s/w installs?
    Should I disable norton internet security 2004 when downloading, installing, or upgrading from the internet any software on my PC running windows xp home?

virus using port 6667

Postby rkusenet » Sat, 06 Nov 2004 00:53:35 GMT

Hi,

I bought a refurbished Win2K for my home. It had lot of viruses. I used
Norton utilities to remove all of them except one.

Norton does not report any more viruses. However if I do netstat -a
I see a connection on port 6667 to an unknown site (some mediabiz.rr.com).

How do I go about finding which exe is the trojan.

TIA.

-- 




Re: virus using port 6667

Postby Malke » Sat, 06 Nov 2004 02:28:05 GMT




The first bit of advice I will give you is what you probably don't want
to hear, but it is *good* advice: Format the drive and clean install
Windows. You never know what is on a used machine, and it is nearly
impossible to be 100% sure it is clean.

That said, I assume by "Norton Utilities" you mean Norton Antivirus.
Make sure NAV is a current version and is using updated definitions.
Scan the computer for malware also:

1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions;

2) remove spyware with Spybot Search & Destroy
(www.safer-networking.org) and Ad-aware (www.lavasoftusa.com). These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from
 http://www.**--****.com/ 
not install the other Intermute programs, however. Alternately, there
are CoolWebSearch malware removal steps at
 http://www.**--****.com/ 
HijackThis and About:Buster ( http://www.**--****.com/ ) works well in
removing homepage hijackers.  Always read the instructions before
running a spyware removal tool. Be sure to update these programs before
running, and it is a good idea to do virus/spyware scans in Safe Mode.
Make sure you are able to see all hidden files and extensions (View tab
in Folder Options);

3) If you are running Windows ME or XP, you should disable/enable System
Restore because malware will be in the Restore Points. With ME, you
must disable System Restore completely. With XP, you can delete all but
the most recent (presumably clean) System Restore point from the More
Options section of Disk Cleanup (Run>cleanmgr).

4) make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update;

5) run a firewall.

Malke
-- 
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

RE: virus using port 6667

Postby RGF2aWQgSC4gTGlwbWFu » Sat, 06 Nov 2004 02:44:03 GMT

I am in TOTAL agreement with Malke.

You need to WIPE the hard disk of all software by at the very least 
reformatting it and then reinstall the OS from scratch !

Dave








virus using port 6667

Postby clownz » Sat, 06 Nov 2004 04:04:38 GMT

This is just a thought...

Port 6667 is commonly used for IRC..(Internet Relay 
Chat)..You can find info on IRC at mirc.co.uk..

I cannot check mediabiz.rr.com right now but I thought rr 
stood for road runner's cable internet? Maybe someone 
rooted a windows box and is running a rogue IRC server off 
that IP and your comp could be a DoS zombie?

Just food for thought..I will check the domain 
mediabiz.rr.com later.

clownz
viruses. I used
netstat -a
mediabiz.rr.com).

Re: virus using port 6667

Postby Robert Moir » Sat, 06 Nov 2004 06:32:06 GMT




I'll have to be vote number 3 for the suggestion that Malke and David Lipman 
have gone for.

You've purchased a 2nd hand computer with a preinstalled Windows 2000 setup 
right?

You already know it has a lot of viruses, right, you tell us that yourself.

At this time you really really really need to cut your losses on this 
install, wipe the drive and start again from scratch. The only thing you 
know about this windows installation is that it was definately used by 
someone who either purposely infected it before passing it on to you or who 
didn't care a whit about protecting themselves, and no matter what you do, 
no matter what your virus scanner says, there is absolutely no way to trust 
this current installation of the OS will *ever* be clean and trustworthy.

I know it sounds like a lot of work right now but if you format the disk and 
install windows and your apps again from scratch you will save yourself a 
lot of trouble in the end. Really.


-- 
-- 
Rob Moir, Microsoft MVP for servers & security
Website -  http://www.**--****.com/ 
Virtual PC 2004 FAQ -  http://www.**--****.com/ 

Kazaa - Software update services for your Viruses and Spyware. 



Re: virus using port 6667

Postby clownz » Sat, 06 Nov 2004 06:55:04 GMT

Oh I def certainly agree with reformatting. There is no 
true way to tell what else may be on the machine or what 
the purpose of it being backdoored could possibly be. Let 
alone you purchased it with pre-installed windows from 
someone who obviously didn't care about their computer 
security or are trying to backdoor you.

If for whatever reason you need a bootdisk..a great site 
is bootdisk.com. Re-formatting may take a little bit of 
your time but at least you know your secure. Also a tip 
when you reformat..

Get a firewall ASAP  http://www.**--****.com/  is a good one.
Install A/V. Any good ones. I prefer Nortons or Mcafee. 
AVG is a free one and you can probably find the link from 
any of the posts on this msg board. Anything is better 
than nothing. Also update your windows through windows 
update to make sure your protected against the most 
recently abused exploits.


viruses. I
do netstat -a
Malke and David Lipman 
Windows 2000 setup 
us that yourself.
losses on this 
only thing you 
definately used by 
it on to you or who 
matter what you do, 
absolutely no way to trust 
and trustworthy.
format the disk and 
save yourself a 
 http://www.**--****.com/ 
Spyware. 

Re: virus using port 6667

Postby N. Miller » Sat, 06 Nov 2004 16:33:55 GMT

In article < XXXX@XXXXX.COM >, rkusenet says...




I will just add my zwei pfennig's worth; and make the advice offered a 
consensus. Aside from unknown malware hiding from your efforts to root it 
out, format and reinstall also lets you set things up exactly the way you 
want without having to fight the former owner's preferences. From your 
standpoint, it is a new computer; install the OS from scratch and make it 
truly so.

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Re: virus using port 6667

Postby Lanwench [MVP - Exchange] » Sat, 06 Nov 2004 23:05:45 GMT



Could be adware....but my advice is, if you have a new (for you) computer
with stuff on it already, reformat/reinstall Windows so you know it's clean
and has only what you want on it. I'm presuming you have your installation
media & licenses for the OS and all applications....



RE: virus using port 6667

Postby RGF2aWQgSC4gTGlwbWFu » Mon, 08 Nov 2004 02:09:01 GMT

After reading another thread, this may very well be the "W32/Mabutu.a@MM" -- 
 http://www.**--****.com/ 

"The virus attempts to connect to a remote IRC server (destination port TCP 
6667). The following servers are used:"

A list of IRC servers follow...

Dave









Re: virus using port 6667

Postby Chuck » Wed, 10 Nov 2004 04:23:08 GMT



Most viruses/worms try to connect to certain IRC servers to send the 
attacker information about the system.  I also agree, wiping the machine 
clean and starting over is always best.


Return to virus

 

Who is online

Users browsing this forum: No registered users and 61 guest