Solve : Virus? Port 1214 oddness to 15.192.45.139?

1.	Solve : Virus? Port 1214 oddness to 15.192.45.139?
Answer» Hello, I just pulled 6 computers out of operation that got nailed by a virus that appeared to be dormant for 2 years and triggered on 7/4. Bought a Windows XP Key Finder from a guy on ebay for like $3 2 years ago and this program was clean and ran clean up until its recent ATTACK on systems. Up until now it has operated correctly in displaying the Key for auditing systems to make sure that no 2 systems have the same XP key. Recently on 7/4 this was now tagged as viral by Norton Corporate Edition 10 with latest definitions, as well as a Cruzer Mini Thumb Drive utility that was backed up in teh archive of software, HP Drivers to a HP 1320TN printer, and a few other programs that were clean and now infected according to NAV. Looking up this Windows XP Key Finder on google I found that there are numerous complaints about dirty copies of it with Trojans and a Trojan is what I had in my quarantine..... But what makes no sense is how a file in an Read-Only archive SINCE August 2006 all of a sudden WENT viral on 7/4 according to Symantecs Virus scan, along with other drivers. And this file had to have been scanned hundreds of times over the last 2 years without any issue. Using Wireshark to probe the corporate network to see if there are any other troubled systems out there, I found that Wireshark displayed Kazaa port 1214 to 15.192.45.139 , so I looked up the IP to see where 15.192.45.139 resides and it hits as www.hp.com ?? Google search for Port 1214 shows it being used maliciously as well as with Kazaa, but no links to HP using port 1214? So What is going on here??? The system at 192.168.5.114 should be a clean system being that its NAV definitions up to date and the system scan is clean and is running correctly. Any suggestions to why HP would use port 1214 and what for when the browser is not open to the HP site? Any suggestions on any better network probes other than Wireshark? The computer by the way is a HP Compaq, but the systems were built clean to XP Pro SP2 and not the MFR image that use to be on the HP before RIS clean to XP Pro SP2 slip stream clean install. The HP MFR images to their drives usually have bundled crap with it like adware/spyware, and crappy registries. Thanks, DaveQuote Any suggestions to why HP would use port 1214 and what for when the browser is not open to the HP site? Any suggestions on any better network probes other than Wireshark? You will probably be better off taking this question to the Networking forum. Keyfinders use "covert" methods that some AVs will flag as suspicious or even malicious. Why it took 2 years I'm not sure but I would think it's a false positive. Do you mind saying the name of the keyfinder? Kazaa is adware and you are right it could have easily been bundled with the fresh install. I wouldn't worry to much about it as it can usually be removed in add/remove programs. What you can do is go to UploadMalware.com, follow the directions to have the keyfinder file analyzed by the team there.

Answer»

Hello,

I just pulled 6 computers out of operation that got nailed by a virus that appeared to be dormant for 2 years and triggered on 7/4. Bought a Windows XP Key Finder from a guy on ebay for like $3 2 years ago and this program was clean and ran clean up until its recent ATTACK on systems.

Up until now it has operated correctly in displaying the Key for auditing systems to make sure that no 2 systems have the same XP key.

Recently on 7/4 this was now tagged as viral by Norton Corporate Edition 10 with latest definitions, as well as a Cruzer Mini Thumb Drive utility that was backed up in teh archive of software, HP Drivers to a HP 1320TN printer, and a few other programs that were clean and now infected according to NAV.

Looking up this Windows XP Key Finder on google I found that there are numerous complaints about dirty copies of it with Trojans and a Trojan is what I had in my quarantine..... But what makes no sense is how a file in an Read-Only archive SINCE August 2006 all of a sudden WENT viral on 7/4 according to Symantecs Virus scan, along with other drivers. And this file had to have been scanned hundreds of times over the last 2 years without any issue.

Using Wireshark to probe the corporate network to see if there are any other troubled systems out there, I found that Wireshark displayed Kazaa port 1214 to 15.192.45.139 , so I looked up the IP to see where 15.192.45.139 resides and it hits as www.hp.com ??

Google search for Port 1214 shows it being used maliciously as well as with Kazaa, but no links to HP using port 1214? So What is going on here???

The system at 192.168.5.114 should be a clean system being that its NAV definitions up to date and the system scan is clean and is running correctly.

Any suggestions to why HP would use port 1214 and what for when the browser is not open to the HP site? Any suggestions on any better network probes other than Wireshark?

The computer by the way is a HP Compaq, but the systems were built clean to XP Pro SP2 and not the MFR image that use to be on the HP before RIS clean to XP Pro SP2 slip stream clean install. The HP MFR images to their drives usually have bundled crap with it like adware/spyware, and crappy registries.

Thanks,

DaveQuote

Any suggestions to why HP would use port 1214 and what for when the browser is not open to the HP site? Any suggestions on any better network probes other than Wireshark?

You will probably be better off taking this question to the Networking forum.

Keyfinders use "covert" methods that some AVs will flag as suspicious or even malicious. Why it took 2 years I'm not sure but I would think it's a false positive. Do you mind saying the name of the keyfinder?

Kazaa is adware and you are right it could have easily been bundled with the fresh install. I wouldn't worry to much about it as it can usually be removed in add/remove programs.

What you can do is go to UploadMalware.com, follow the directions to have the keyfinder file analyzed by the team there.

Solve : Virus? Port 1214 oddness to 15.192.45.139?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment