For N. Miller

TheMSsForum.com: The Microsoft Software Forum

Hi N. Miller,

I found out what it is.

I made a Rule to Log anything using that IP in or out.

It is my Browser Netscape 7.2 that makes a Inbound Domain call using the
App (Browser) Netscape.exe and looks for a Outbound return using the
Apps Netscape.exe, Wucrtupd.exe and Wuloader.exe.

Sometimes it didn't use an App at all on the Inbound that alerted me to
it in the first place.

I can't Block the In/Outbound using the Netscape App or I can't Surf the
Web.

But I can Block the In/Outbound one's using the Windows Update Apps
wucrtupd.exe and wuloader.exe without any problems.

Why the hell does it need to use those Apps when it can use Netscape.exe
both ways ?????

And it may explain those hits on Port 80 I see too.

Is this something we should worry about?

Is it a type of Spyware?

Kevin

Rule "205.188.146.145" blocked (205.188.146.145,domain). Details:
Outbound UDP packet
Local address,service is (0.0.0.0,1176)
Remote address,service is (205.188.146.145,domain)
Process name is "C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE"

Rule "205.188.146.145" ignored (0.0.0.0,1098). Details:
Inbound UDP packet
Local address,service is (0.0.0.0,1098)
Remote address,service is (205.188.146.145,domain)
Process name is "C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE"

Rule "Block Outbound AOL Proxy wucrtupd.exe TCP/UDP" blocked
(205.188.146.145,domain). Details:
Outbound UDP packet
Local address,service is (0.0.0.0,1103)
Remote address,service is (205.188.146.145,domain)
Process name is "C:\WINDOWS\SYSTEM\WUCRTUPD.EXE"

Rule "Block Outbound AOL Proxy wuloader.exe TCP/UDP" blocked
(205.188.146.145,domain). Details:
Outbound UDP packet
Local address,service is (0.0.0.0,1094)
Remote address,service is (205.188.146.145,domain)
Process name is "C:\WINDOWS\SYSTEM\WULOADER.EXE"
Top

Re: For N. Miller by N

N
Wed Aug 03 02:18:37 CDT 2005

On Tue, 02 Aug 2005 18:24:22 -0400, !:?) wrote:

> Hi N. Miller,
>
> I found out what it is.
>
> I made a Rule to Log anything using that IP in or out.
>
> It is my Browser Netscape 7.2 that makes a Inbound Domain call using the
> App (Browser) Netscape.exe and looks for a Outbound return using the
> Apps Netscape.exe, Wucrtupd.exe and Wuloader.exe.
>
> Sometimes it didn't use an App at all on the Inbound that alerted me to
> it in the first place.
>
> I can't Block the In/Outbound using the Netscape App or I can't Surf the
> Web.
>
> But I can Block the In/Outbound one's using the Windows Update Apps
> wucrtupd.exe and wuloader.exe without any problems.
>
> Why the hell does it need to use those Apps when it can use Netscape.exe
> both ways ?????
>
> And it may explain those hits on Port 80 I see too.
>
> Is this something we should worry about?
>
> Is it a type of Spyware?

Netscape should make a local connection when it is fired up. Using TCPView,
I get this (a partial listing of ports):

| TCP megumi:2211 megumi:0 LISTENING
| TCP megumi:5000 megumi:0 LISTENING
| TCP megumi:11194 megumi:0 LISTENING
| TCP megumi:44334 megumi:0 LISTENING
| TCP megumi:51975 megumi:0 LISTENING
| TCP megumi:1424 megumi:0 LISTENING
| TCP megumi:1424 localhost:1425 ESTABLISHED
| TCP megumi:1425 localhost:1424 ESTABLISHED
| TCP megumi:2198 localhost:44334 TIME_WAIT
| TCP megumi:2199 localhost:44334 ESTABLISHED
| TCP megumi:2210 megumi:0 LISTENING
| TCP megumi:2210 localhost:2211 ESTABLISHED
| TCP megumi:2211 localhost:2210 ESTABLISHED

I started with TCP port 2211 because that is what Netscape is using (I used
the KPF status window to see that; TCPView doesn't list processes on a
Windows ME computer). I stopped at the same port because that shows the
loopback port pair used by Netscape. The 1424-1425 pair is Mozilla Firefox,
and the 44334-2199 pair is Kerio Personal Firewall. These are all local
connections which must be permitted, or the browser won't work.

If you have Windows Update installed (I don't), you should expect periodic
queries by the application. But you need a good tool to sort out which
ports are related to which packets. I doubt very much that the Netscape
packets and the wucrtupd.exe/wuloader.exe are related.

May I suggest that you run netstat to see what is up? If you have Windows
XP, there should be a command that will reveal the owning processes. Or you
could visit http://www.sysinternals.com/, and download TCPView, which will
do the same thing.

> Kevin
>
> Rule "205.188.146.145" blocked (205.188.146.145,domain). Details:
> Outbound UDP packet
> Local address,service is (0.0.0.0,1176)
> Remote address,service is (205.188.146.145,domain)
> Process name is "C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE"

Okay; you are posting from:

NNTP-Posting-Host: AC8A40D9.ipt.aol.com 172.138.64.217

In one of your messages in the other thread you say, "I have Netscape for
an ISP that is owned by AOL, so AOL is my ISP's Host."

Do you have a netscape.net portal page in your browser? You must be using a
DUN to the Netscape POP. Does Netscape require that your browsr be
configured for a Netscape proxy? Hmmm. I will wait a bit. I was looking at
signing up for the 30-day trial, just to see what you might be seeing. I
might guess at normal traffic, but for those UDP packets to port 145. But
the destination is possibly a proxy, so I can't say what that is all about.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
Top

Re: For N. Miller by No

No
Wed Aug 03 14:52:41 CDT 2005


Hi N. Miller,

In case I forgot I'm running Win98SE.

I get what you list below in NIS Firewall Connections Tab but I think
what I'm seeing is not the Browser but my Netscape ISP's DNS that they
don't list on their or AOL's Web Pages for IP's to allow through your
Firewall.

>
> Netscape should make a local connection when it is fired up. Using TCPView,
> I get this (a partial listing of ports):
>
> | TCP megumi:2211 megumi:0 LISTENING
> | TCP megumi:5000 megumi:0 LISTENING
> | TCP megumi:11194 megumi:0 LISTENING
> | TCP megumi:44334 megumi:0 LISTENING
> | TCP megumi:51975 megumi:0 LISTENING
> | TCP megumi:1424 megumi:0 LISTENING
> | TCP megumi:1424 localhost:1425 ESTABLISHED
> | TCP megumi:1425 localhost:1424 ESTABLISHED
> | TCP megumi:2198 localhost:44334 TIME_WAIT
> | TCP megumi:2199 localhost:44334 ESTABLISHED
> | TCP megumi:2210 megumi:0 LISTENING
> | TCP megumi:2210 localhost:2211 ESTABLISHED
> | TCP megumi:2211 localhost:2210 ESTABLISHED

> If you have Windows Update installed (I don't), you should expect periodic
> queries by the application. But you need a good tool to sort out which
> ports are related to which packets. I doubt very much that the Netscape
> packets and the wucrtupd.exe/wuloader.exe are related.

I do, but I have those tied to the Apps and the Windows IP Addresses so
nothing else uses them.

I usually do it manually but this is the Wife's Computer and set it up
that way for her.

> May I suggest that you run netstat to see what is up? If you have Windows
> XP, there should be a command that will reveal the owning processes. Or you
> could visit http://www.sysinternals.com/, and download TCPView, which will
> do the same thing.

Good Program (TCPView), don't have it on this but do on mine that is
down right now.
All the Good stuff is on that and I try not to put too much on this she
doesn't know how to use.

> Okay; you are posting from:
>
> NNTP-Posting-Host: AC8A40D9.ipt.aol.com 172.138.64.217
>
> In one of your messages in the other thread you say, "I have Netscape for
> an ISP that is owned by AOL, so AOL is my ISP's Host."
>
> Do you have a netscape.net portal page in your browser? You must be using a
> DUN to the Netscape POP. Does Netscape require that your browsr be
> configured for a Netscape proxy? Hmmm. I will wait a bit. I was looking at
> signing up for the 30-day trial, just to see what you might be seeing. I
> might guess at normal traffic, but for those UDP packets to port 145. But
> the destination is possibly a proxy, so I can't say what that is all about.
>

Yes it's ISP.Netscape.com that comes up no matter what Page I set in the
Browser and I see from time to time, but not often, in the Log that IP
trying to phone home using Netscape's Dialer when I first go online:

8/2/05 21:10:41 Rule "Default Block 205.188.146.145" blocked
(205.188.146.145,domain). Details:
Outbound UDP packet
Local address,service is (0.0.0.0,1520)
Remote address,service is (205.188.146.145,domain)
Process name is "C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\DIALER.EXE"

I never allow it and everything works ok.

I also saw this when I Blocked the IP from everything and tried to use
Sam Spade to see if it was a Server:

8/2/05 21:28:49 Rule "Default Block 205.188.146.145" blocked
(205.188.146.145,domain). Details:
Outbound UDP packet
Local address,service is (0.0.0.0,1576)
Remote address,service is (205.188.146.145,domain)
Process name is "C:\PROGRAM FILES\BLIGHTY DESIGN\SPADE.EXE"

Wouldn't do the DNS without it.

I checked and it is not a listed DNS on Netscape or AOL that they list
on their Web Pages for IP's to allow through the Firewall.

I hope this helps anyone else who has Netscape ISP to know something is
going on in the background that may be ok but I'd still like to know
what it's up to using those Files for Win Update.

Thanks for your help Norm, you pointed me in the right direction.

Kevin

Top

Re: For N. Miller by N

N
Wed Aug 03 20:18:06 CDT 2005

On Wed, 03 Aug 2005 15:52:41 -0400, !:?) wrote:

> 8/2/05 21:28:49 Rule "Default Block 205.188.146.145" blocked
> (205.188.146.145,domain). Details:
> Outbound UDP packet
> Local address,service is (0.0.0.0,1576)
> Remote address,service is (205.188.146.145,domain)
> Process name is "C:\PROGRAM FILES\BLIGHTY DESIGN\SPADE.EXE"
>
> Wouldn't do the DNS without it.

Just what are your configured DNS servers? I set [205.188.146.145] in Sam
Spade as a DNS server, and I got an answer to my query; but I can't make
Sam Spade send UDP packets to that IP address!

Kiwi Syslog is showing this during Sam Spade lookups with [205.188.146.145]
as the SS DNS server (in place of my ISP DNS server):

|Local7.Warning 192.168.102.1 2005 Aug 03 18:04:17 ICMP packet dropped - Source:172.18.126.86 Destination Unreachable (code:1) ,WAN - Destination:64.174.91.202,LAN
|Local7.Warning 192.168.102.1 2005 Aug 03 18:04:08 ICMP packet dropped - Source:172.18.126.86 Destination Unreachable (code:13) ,WAN - Destination:64.174.91.202,LAN

Kerio Personal Firewall, the Sam Spade rule, is throwing up this during
that same activity:

| 03/Aug/2005 18:01:06 SPADE MFC Application permitted; Out TCP; localhost:2101->(null) [192.149.252.44:43]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
| 03/Aug/2005 18:01:08 SPADE MFC Application permitted; Out TCP; localhost:2102->(null) [192.149.252.44:43]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
| 03/Aug/2005 18:02:46 SPADE MFC Application permitted; Out TCP; localhost:2105->(null) [206.13.31.12:53]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
| 03/Aug/2005 18:02:46 SPADE MFC Application permitted; Out TCP; localhost:2106->(null) [206.13.31.12:53]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
| 03/Aug/2005 18:03:34 SPADE MFC Application permitted; Out TCP; localhost:2110->(null) [206.13.31.12:53]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
| 03/Aug/2005 18:04:12 SPADE MFC Application permitted; Out TCP; localhost:2112->(null) [205.188.146.145:53]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE

I can't induce SS to send UDP packets to port 145, though. I can't find
anything with a Google search which explains a legitimate use for outbound
UCP packets to a remote port 145. I really guess I will have to stop my BT
download long enough to sign up for the free 30-day trial of the Netscape
ISP, and see just what, exactly, they are doing.

Does the NIS package include the Norton process viewer? I have it, but it
came with the Norton Systemworks 2003 package.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
Top

Re: For N. Miller by No

No
Wed Aug 03 23:25:04 CDT 2005

N. Miller wrote:

> Just what are your configured DNS servers? I set [205.188.146.145] in Sam
> Spade as a DNS server, and I got an answer to my query; but I can't make
> Sam Spade send UDP packets to that IP address!

My Browser won't surf the Web without it too.
It's not listed in any of their Servers on their Web Page to be allowed
through a Firewall, but it never uses the one's listed there either.

> Kiwi Syslog is showing this during Sam Spade lookups with [205.188.146.145]
> as the SS DNS server (in place of my ISP DNS server):
>
> |Local7.Warning 192.168.102.1 2005 Aug 03 18:04:17 ICMP packet dropped - Source:172.18.126.86 Destination Unreachable (code:1) ,WAN - Destination:64.174.91.202,LAN
> |Local7.Warning 192.168.102.1 2005 Aug 03 18:04:08 ICMP packet dropped - Source:172.18.126.86 Destination Unreachable (code:13) ,WAN - Destination:64.174.91.202,LAN
>
> Kerio Personal Firewall, the Sam Spade rule, is throwing up this during
> that same activity:
>
> | 03/Aug/2005 18:01:06 SPADE MFC Application permitted; Out TCP; localhost:2101->(null) [192.149.252.44:43]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
> | 03/Aug/2005 18:01:08 SPADE MFC Application permitted; Out TCP; localhost:2102->(null) [192.149.252.44:43]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
> | 03/Aug/2005 18:02:46 SPADE MFC Application permitted; Out TCP; localhost:2105->(null) [206.13.31.12:53]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
> | 03/Aug/2005 18:02:46 SPADE MFC Application permitted; Out TCP; localhost:2106->(null) [206.13.31.12:53]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
> | 03/Aug/2005 18:03:34 SPADE MFC Application permitted; Out TCP; localhost:2110->(null) [206.13.31.12:53]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
> | 03/Aug/2005 18:04:12 SPADE MFC Application permitted; Out TCP; localhost:2112->(null) [205.188.146.145:53]; Owner: C:\BIN\BLIGHTY DESIGN\SPADE.EXE
>
> I can't induce SS to send UDP packets to port 145, though. I can't find
> anything with a Google search which explains a legitimate use for outbound
> UCP packets to a remote port 145. I really guess I will have to stop my BT
> download long enough to sign up for the free 30-day trial of the Netscape
> ISP, and see just what, exactly, they are doing.
>

Your on Pacbell I think and I'm on Netscape is AOL that might be the
difference but I would think it would still give you something.

> Does the NIS package include the Norton process viewer? I have it, but it
> came with the Norton Systemworks 2003 package.
>

No I don't think it does, I have NIS ver. 1.0 that is realy ATGuard the
last version of ATGuard but the View Statistics doesn't let me Log the
Connections like Netstat but the Connections Tab Does if that helps.

I don't have 2003 and don't know if that works the same.

The more I look into this the mnore I don't like it.

Now I'm seeing this:

Rule "Default Block UDP KRNL386.EXE TCP/UDP" blocked
(172.144.255.255,nbname). Details:
Outbound UDP packet
Local address,service is (compaq,nbname)
Remote address,service is (172.144.255.255,nbname)
Process name is "C:\WINDOWS\SYSTEM\KRNL386.EXE"

8/3/05 19:50:44 Rule "Default Block EXPLORER.EXE" permitted
(172.149.255.255,nbname). Details:
Outbound UDP packet
Local address,service is (172.150.86.107,nbname)
Remote address,service is (172.149.255.255,nbname)
Process name is "C:\WINDOWS\EXPLORER.EXE"

And to answer you next question, No my BrowseNewProcess in the Registry
are both set to yes as they should be !!!!

Now this looks like another Server but what does it want with these
Files!!!!

Krnl386 and Explorer ??? something is VERY strange here !

I tried the Netscape Live Chat to the Tech's and then called Netscape
Support by Phone, but it sucks when you know more about Computers than
they do.

Tried telling me he can't tell me the DNS Address but I already know it:)

How do you know what to allow through the Firewall if they don't tell
you LOL !

I was hpoing to get an updated List of what I can let through the
Firewall like on the Web Sites but that seems to be a Trade Secret.

Waste of $10 bucks!

If you think about it all those Packets sent to or from my Computer that
I'm Blocking are slowing my Connection.

This Computer is only for Email really so my Wife can stay in contact
with Family and Friends so it's not a big problem but if this goes on
with others Security or Connection Speed are Comprimised.

And the way I restrict things Infection is not an issue.

Never happened with other ISP's, just this one.

Kevin


Top

Re: For N. Miller by No

No
Sat Aug 06 00:07:29 CDT 2005


Hi N. Miller,

I got the Free Agent but can't get it to connect to news.grc.com.

I checked the GRC Page and I set a Username and Password but don't
understand what a Passphrase is or if it refers to using the same word
for Username and Password as a Passphrase.

I don't understand why Free Agent won't work because it is listed by GRC.

Kevin
Top

Re: For N. Miller by No

No
Sat Aug 06 01:52:33 CDT 2005


Hi N. Miller,

Never Mind, I figured it out.

Kevin
Top