Archived from groups: comp.security.firewalls (
More info?)
JClark wrote:
> Purl Gurl wrote:
> >Gerald Vogt wrote:
> >> Purl Gurl wrote:
(snipped)
> >There is a slight possibility the originating author has
> >spyware on his system which generates this DNS query he
> >is noting via his firewall. Personally, I would check.
> there are actually two DNS server addresses listed in ipconfig
> 65.32.1.70 and 65.32.1.80
Confirmed, both are DSN servers in the Tampabay, Florida region.
> I'm not having an easy time finding which program is actually trying
> to send that UDP packet.
Quickest and most easy solution would be to download
a free version of Zone Alarm, install it and wait for
Zone Alarm to pop alerts. Each alert will inform what
program is trying to access the internet. Zone Alarm
is easy to uninstall later.
Here is a small checklist which might help you. Some
of these items only appear in Win9.x others for the
NT5 types like Win2K and XP. Some appear for all
recent Win systems; both Win9.x and NT5 types.
Keep in mind NT5 types automatically run a handful
of programs upon machine boot, without your knowledge.
These are daemon or "services" which boot load.
Press "Control Alternate Delete" all together.
This pops a task manager window which lists
most but not all active processes.
Open your NT5 task manager facility.
Run msconfig.exe in your windows\system
folder. Look in the startup section.
That will list program which start
upon boot which you may enable or
disable easily. Be careful. You may
also look at your autoexec.bat file,
config.sys file and others, which
are mentioned below. Additionally,
your win.ini and system.ini files
are included in this program. Lot
easier to look at those through
notepad, wordpad or any text editor.
Be very careful about changes.
Run regedit.exe in your Windows folder.
Use "search" and look for "run" then
"run1" then "run2" entries. Those will
provide data on which programs are
being automatically loaded upon reading
of your registry. Be extremely careful
if you edit. A single mistake can leave
your machine unable to boot to Windows.
Lots of tutorials on how to backup then
edit your registry are available.
Do NOT mess with your registry until
have learned and fully understand how
to edit it safely.
Open your win.ini file found in your
Windows folder. Notepad or wordpad
can be used. Look for "load device"
entries. Mostly related to hardware
support but not strictly.
Open your system.ini as above. Mostly
drivers, dll files and VXD files but
you might some device loaders.
If you are processing an autoexec.bat
file on boot, take a look in there to
determine if there is anything being
loaded at a DOS level which could be
a source. Unlikely, but possible.
Many antiquated viruses show there.
Same for your config.sys file on boot.
Lots of devices can be loaded there.
Both autoexec.bat and config.sys are
found in your root C:\ directory.
Consider there are many programs which
automatically check for updates. Others
establish a net connection automatically
such as Netzip and some "Napster" like
software for music sharing.
Adobe Acrobat is well known for establishing
a net connecton if using the free version.
Really annoying. A serious problem is when
you access a pdf acrobat file via your browser,
then close it, acrobat will remain running in
the background without you knowing this.
Adobe Acrobat does have a "phone home" feature
which does connect to your Windows default
DNS servers. Zone Alarm will alert you.
Lot easier to simply install Zone Alarm
which will immediately inform you which
programs are trying to access the net.
Do not use the Zone Alarm automatic
configuration feature. Select the
manual configuration so no programs
will be allowed until you ok them.
I am placing a bet you have software which
phones home periodically. This is not always
malware. Might be software which periodically
checks for software updates as a courtesy.
Purl Gurl
Facebook
Twitter
Instagram