How can I track down malicious dll that tries to connect to a certain IP?

Hi guys

I got this problem when I probably downloaded and installed some software..
Whenever a few programs - not all, only a few like IE, Outlook Express, and - very unfortunately -
antivirus updater - try to connect to the Internet, instead of connecting to the site they should they try to connect
to some strange site supposedly run by a hacker with IP 209.225.55.72. As I've disabled this site in my firewall settings, programs
just give up after a few trials, thus, for example, antivirus cannot connect to the true site and download an update. Of course, I can
reinstall the whole system and that's what I was going to do, but I decided to leave this option as a last resort and try may be to
find dll or a few dlls which consist the body of virus (it's a virus, isn't it?) and where instructions to connect to the hacker's site
are placed. So, my question is:

How can I track down malicious dll that tries to connect to a certain (supposedly hacker's) Internet site? Or, more specifically - is
there such a system utility that would allow me to catch dll that is trying to connect to a certain IP?

Thanks

 

Hi Alex_Finger

Welcome to the windows BBS forums
It could be a hosts file put in place by a nastie

What anti virus program do you have ?

Please go get a free online Scan
http://housecall.trendmicro.com/

Do you have SpyBot and Ad-Aware ? if not get them, check for updates
and one at a time check for problems, fix all that they find then always restart the PC if they should need to to finish the Cleanup
Scanning with Spybot and Ad-Aware : http://www.windowsbbs.com/showpost.php?p=159029&postcount=2

Then after that post a Log from a tool called hijackthis
http://www.windowsbbs.com/showpost.php?p=159220&postcount=3

 

Also locate a file on your PC named hosts (no extension and located differently depending on your OS version).

It's a normal system-type file although you may not have one. The PC will run fine without it but some bad entries in the file could cause exactly what you are seeing. Some malware will put entries in there to block your access to AV updates, spyware info sites, and similar places you could go for help.

Rename the file to hosts-old and see if things improve.

Note that unless you just want to go through the reinstall, you are a long way from needing to even consider that drastic a step for a 'fix'.

 

ok, I'll try that..

 

This one might be more vector, a winsock lsp. check this tool out http://www.cexx.org/lspfix.htm

 

Many firewalls will tell you what program is trying to send messages out.
And I ran the IP through a DNS lookup and got this
http://www.network-tools.com/default.asp?prog=express&Netnic=whois.arin.net&host=209.225.55.72
Not much help>