# Unwanted connection established



## hecsaor (May 12, 2005)

Hi, i'm a first timer in this forum, but i thought you could be able to help me out of this one.

I play a multiplayer game called Tibia, that's about heroes, magic, etc. There's a program called TibiCAM, not official from the game, it records a part of your game by intercepting the sent packets or something like that, and then you can watch it later using the same program. the fact is that i downloaded a trick version of the program,didn't load, and i got a ghost keylogger to get my account # (the hacked accounts / items from the game are sold for Real life money :S), fortunately i found out because of my firewall and succesfully deleted it.

Then i downloaded a clean version (i think), and works perfectly, but when i use it to play a recording while being offline, i get this in netstat:


*TCP t0r:3385 1ad2srvr-cpt-v1.com:3386 ESTABLISHED
TCP t0r:3386 1ad2srvr-cpt-v1.com:3385 ESTABLISHED
TCP t0r:3501 1ad2srvr-cpt-v1.com:7171 ESTABLISHED
TCP t0r:7171 1ad2srvr-cpt-v1.com:3500 TIME_WAIT
TCP t0r:7171 1ad2srvr-cpt-v1.com:3501 ESTABLISHED*

and it works, i guess thats like a proxy or something, i don't know, i'm completely offline, i think its like internal comunication, but, i googled the website that appears there and its like a spy or something, then i checked it out in my hosts file and its the first host in the list.

Here comes the tricky part, when i'm online and playing the game and recording with the program, the connection is still on, i guess that's ok, but i don't know if my data could be in danger. Anyways, what bothers me the most is that when i lauch Mozilla Firefox, (my default browser), the connection starts by itself

Proto Dirección local Dirección remota Estado
TCP t0r:3267 baym-cs67.msgr.hotmail.com:1863 ESTABLISHED
TCP t0r:3447 209.59.143.50:http CLOSING
TCP t0r:3468 64.233.187.99:http ESTABLISHED
TCP t0r:3475 209.59.143.50:http ESTABLISHED
*TCP t0r:3385 1ad2srvr-cpt-v1.com:3386 ESTABLISHED
TCP t0r:3386 1ad2srvr-cpt-v1.com:3385 ESTABLISHED*
It uses various ports, like randomly. I close firefox and it dissappears, if i open IE , nothing happens. I used TCPView a netstat-like program, and the connection there appears like localhost to localhost or something like that.

I ran hijackthis, ad-aware and spybot S&D but found nothing that i thought could be related. i don't know what's going on, could my information be in danger?

I await for your answer, thanks in advance everyone.

Hector


----------

