Last scanned connection: twitter.com/stevie23isking - What is this?

Hi everybody, a few months ago I took a look on avast!'s Network shield and I noticed one: Last scanned connection: twitter.com/stevie23isking - even with no web browser open just the desktop :S

Can anyone tell me what is this ???
OK I know it’s not blocked by avast! but something is accessing to this site :S

I see this every day - sometimes 2 or 3 times a day

Thank you :slight_smile:

EDIT:
Screenshot attached

EDIT #2:
A Few months ago I registered on Twitter but I don’t use it

Well avast doesn’t just scan stuff for the sake of it, something has tried to connect to that twitter location. I don’t use twitter (or any other social networking site, just targets for malware) when you sign-up do you not have any settings that are saved to your system, like checking for new tweets on specific areas/topics.

If so this could just be checking for new tweets, in the same way as some email checkers check in the background to see if you have email.

What is your firewall as a good one should also be checking on outbound connections ?

I’m using Online Armor

EDIT:
Now I went to twitter, logged in and I saw my settings - no notifications or any other things, and I deactivated my account because I don’t need it

Let’s see if it works

Well that should surely block unauthorised outbound connections and if not then a) it is an authorised connection one you allowed or b) it should log the connection and hopefully the process responsible for the connection.

Ok but the only question is WHICH PROCESS?
I checked all the sites I have open and no one of them contains scripts or something from twitter ???

I searched for this “stevie23isking” with Bing - no results, I searched for this person on Twitter - no results

I ran a scan on it with NoVirusThanks’ Multi-Engine virus scanner: CLEAN

So I really don’t know what is this

There would be an originating process/file name for the connection to that link, see image, just one of the logs on my firewall.

It isn’t the sites that you have open you have to be concerned with as you said this happened even without your browser open. That is why I asked about twitter settings, etc. I can’t be much practical help as I said I don’t use twitter.

Seems Bing is pants then, I found this. http://twitter.com/stevie23isking not a million miles from your original link without the http bit.

Ok, but what should I do? Online Armor logs only IP’s, not web addresses

Another one: dns : // twitter . com [I put spaces to make it non-clickable]

And an idea: should I delete Online Armor’s In- and Outgoing rules?

EDIT: OK I found Online Armor’s Firewall Status - it displays all the connections, I will watch for that twitter connection (it displays the process too so I can determine what was the source)

A screenshot, this connection happened when CTSysVol appeared on Online Armor’s list - see the image

EDIT: I saw it again but it’s not CTSysVol and I did a search with RegEdit but no results :S
I know CTSysVol is from Microsoft and it’s sending something (information?)

Well that IP ctsysvol.exe is connecting to 168.143.162.100 is for:
OrgName: NTT America, Inc.
Colorado.

So I don’t know if that rings any bells.

The CTSysVol is Related to Creative Technology Sound card volume controls. Note: Located in %Program Files%\Creative\Sound Blaster Audigy 2\Surround Mixer. So yours is in a different location and why (even if it were legit) it would require an outbound connection is beyond me. Presumably you have that sound card.

http://www.processlibrary.com/directory/files/ctsysvol/

So why this would be running from a temp location is also strange, but it doesn’t seem to be connecting to twitter.com (IPs 168.143.162.116, 128.242.240.116, 128.242.245.20).

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

Certainly as a temp measure I would block outbound connection for it.

Uh-oh last scan result was 8/42 :S :o
Avast! Doesn’t detect this: http://www.virustotal.com/analisis/e9d3ebad33e8ca537cd19a63c774aa24add76c29270c6bd10dd5045535811aba-1279900184

So please help me
Now it’s 9/42

Whilst most of the detections were generic/heuristic it is worth checking out further.

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

In the text box, give the link to the VT results and also this forum topic.

With the copy in the chest, delete the one in the original location and watch out for it being restored as that would indicate there is something else hidden/undetected. Ensure you have that file blocked in your firewall as I said before.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Sample sent to avast! Virus Labs (the program is in the chest), I blocked everything related to this thing with Online Armor (Autorun, Execution, Network access etc.)

MBAM scans were clean…

EDIT:
SUPERAntiSpyware found registry keys related to Application.Oreans32, and a file (drivers\oreans32.sys)

I viewed the information about it - they said ‘It can be used for legitimate applications…’ - should I remove it?

EDIT #2:
Log has been attached

You’re log isn’t complete as it doesn’t have the info about the File threat detected, namely what it calls the threat so there really is no way to tell.

So it would be the same drill as before, check it out at virustotal and report the findings.

From the google hits, it would appear that it might be being detected because of what it does, as it appears to be some game protection driver which uses rootkit method to apply that protection. So do you use games that might be using this protection ?

http://www.bleepingcomputer.com/startups/oreans32.sys-15732.html
http://www.threatexpert.com/files/oreans32.sys.html whilst this indicates there is a high likelihood of it being a threat, most of the detections reported here are heuristic (more prone to FP) based on what it does and as such could be misused.

Description: oreans32.sys is located in the folder C:\Windows\System32\drivers. Known file sizes on Windows XP are 33,952 bytes (42% of all occurrence), 33,824 bytes, 33,920 bytes, 33,856 bytes.http://www.file.net/process/oreans32.sys.html The driver can be started or stopped from Services in the Control Panel or by other programs. There is no information about the maker of the file. The program is not visible. There is no detailed description of this service. The file is not a Windows system file. oreans32.sys seems to be a compressed file. Therefore the technical security rating is 53% dangerous, however also read the users reviews.

Important: Some malware camouflage themselves as oreans32.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the oreans32.sys process on your pc whether it is pest.

http://forum.kaspersky.com/lofiversion/index.php/t25243.html Whilst this is an old topic is is still relevant showing it was previously detected, but mentions the game component issue and that really is the question, are you using a game that uses this driver.

That file, OREANS32.SYS was mentioned before, it's a component of a game protection system. It uses rootkit methods, perhaps that's why it's detected as malware by some scanners. This would have probably triggered some sort of pdm response whn you ran the program.

Yes because it was a custom scan - just registry - but the file is: C:\WINDOWS\system32\drivers\oreans32.sys

I’m holding the SAS results window here, so my question is should I delete it or not?

http://www.virustotal.com/analisis/d786de9fb254dcec3d131cbeae13e4020d9e353835ad2e4bef9580b1d638b4ad-1279983174
2/42 - nProtect & SUPERAntiSpyware

And some more: Trojan.Agent/Gen-FakeAlert(Local): 2 game modding utilities | 3 Tracking cookies
Threats detected: 22 (17 from oreans32)

EDIT: I kept it and I deleted the others
And what should I do with this FAKE CTSysVol.exe? - It hasn’t got digital sign or any other information (just the language: German)

The VT detections are really irrelevant as it doesn’t show the original location, what must be determined here is, is the use legitimate, e.g. what I was on about gaming and why I asked the question about it.

I can’t decide for you if you should delete it or not as I haven’t a clue what you have installed on your system.

About CTSysVol.exe, I said in Reply #11 for you to a) send it to the chest, submit to avast and b) delete it from the original location.

With the copy in the chest, delete the one in the original location and watch out for it being restored as that would indicate there is something else hidden/undetected. Ensure you have that file blocked in your firewall as I said before.

Okay, I’m going to delete the fake CTSysVol.exe. In it’s folder there are 2 other files: UsrClass.dat and UsrClass.dat.LOG
Are they legitimate files?

About Oreans32, I don’t know which games are using it but just nProtect and SAS detect it. It’s path is C:\WINDOWS\system32\drivers\oreans32.sys

You have to investigate them based on a) the results of a google search, b) what you have installed on your system and why you think there is something wrong with them (which you don’t mention).

I can’t help with oreans32, I don’t have any information to work with (it is irrelevant what detects it if it is legit) you have to check what games (I’m not a gamer so I don’t know) you have and their requirements, web site, etc.