# SciTE keeps trying to access internet at 209.18.47.61:DNS

## Recommended Posts

Every time I use SciTE.exe it tries to access the internet every now and then. I never realized this up until I started using zonealarm

Why is it contacting the internet with functions like

#RequireAdmin
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_icon=..\Pictures\Icons\G-key.ico
#AutoIt3Wrapper_outfile=Safe.exe
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include<Misc.au3>
#include<File.au3>
#include <String.au3>
If _Singleton(@ScriptName,1) = 0 Then
Exit
EndIf
HotKeySet("{F2}","_Select")

While 1
Sleep(360000)
WEnd

Func _Select()
Local $I = InputBox("Command Center", " ", "", "", 200, 100) Switch$I
Case "kill", "exit", "stop", "Kill", "Exit", "Stop", "KILL", "EXIT", "STOP"
Exit
Case "create", "Create", "CREATE"
_create()
Case "lock", "Lock", "LOCK"
_lock()
Case "unlock", "Unlock", "UNLOCK", "un-lock", "Un-lock", "UN-LOCK", _
"un lock", "Un lock", "UN LOCK", "Un Lock", "Un-Lock"
_unlock()
Case "au3"
ShellExecute("http://www.autoitscript.org")
Case Else
MsgBox(0, "Syntax error", "'" & $I & "'" & " is not recognized as an internal or external command." & _ @LF & "Correct your syntax and try again.") EndSwitch EndFunc Func _create()$folder = @ScriptDir & "\Archive"
DirCreate(@ScriptDir & "\Archive")
_FileCreate(@ScriptDir & "\Archive\desktop.ini")
FileInstall("C:\W7\lock.ico",@ScriptDir & "\Archive\lock.ico")
IniWriteSection($folder & "\" & "Desktop.ini", ".ShellClassInfo", _ "IconFile=" & "lock.ico" & @LF & _ "IconIndex=0" & @LF & _ "InfoTip=Folder ready for archiving!") FileSetAttrib($folder & "\" & "Desktop.ini", "+HS")
FileSetAttrib($folder, "+R") FileSetAttrib($folder & "\lock.ico", "+SHR")
EndFunc

Func _lock()
$KB29 = InputBox("Enter password"," ","","*",200,75) _TalkOBJ("Processing.")$Encrypt = _StringEncrypt(1, $KB29 , " ", 7) FileInstall("C:\W7\Rar.exe",@TempDir & "\Rar.exe") FileChangeDir(@TempDir) RunWait("rar a Data.rar -k -ow -dw -m5 -hp" &$KB29 & " " & @ScriptDir & "\Archive",@TempDir,@SW_HIDE)
$Rar = _TempFile(@ScriptDir, "DATA_", ".rar", 7) FileMove(@TempDir & "\Data.rar",$Rar)
ProcessClose("Rar.exe")
$Get = ( _GetNameByFullPath ($Rar ))
If FileExists(@ScriptDir & "\$~settings.ini") Then iniWriteSection(@ScriptDir & "\$~settings.ini", $Get,"KB29=" &$Encrypt)
Else
_FileCreate(@ScriptDir & "\$~settings.ini") iniWriteSection(@ScriptDir & "\$~settings.ini", $Get,"KB29=" &$Encrypt)
EndIf
_TalkOBJ("Archiving complete.")
EndFunc

Func _unlock()
$message = "Select your archive file."$archive = FileOpenDialog($message, @WindowsDir & "\", "Archives (*.rar)", 1 + 4 ) If @error Then MsgBox(4096,"","No File(s) chosen") Exit Else$archive = StringReplace($archive, "|", @CRLF) EndIf$message2 = "Select your ini file."
$ini = FileOpenDialog($message2, @WindowsDir & "\", "Images (*.ini)", 1 + 4 )
If @error Then
MsgBox(4096,"","No File(s) chosen")
Exit
Else
$ini = StringReplace($ini, "|", @CRLF)
EndIf
$Geta = ( _GetNameByFullPath ($archive ))
$G = IniRead ($ini, $Geta, "KB29", " " )$Uc = _StringEncrypt(0, $G, " ", 7) FileInstall("C:\W7\UnRAR.exe",@TempDir & "\UnRAR.exe") DirCreate(@ScriptDir & "\Data") FileChangeDir(@TempDir) RunWait("unrar e -y -p" &$Uc & " " & $archive & " " & @ScriptDir & "\Data",@TempDir,@SW_HIDE) ProcessClose("UnRAR.exe") Sleep(500) FileDelete(@ScriptDir & "\UnRAR.exe") _TalkOBJ("Task completed.") EndFunc Func _GetNameByFullPath ($_FullPath )
If Not FileExists ( $_FullPath ) Then Return 0$_FileName = StringSplit ( $_FullPath, '\' ) Return$_FileName[$_FileName[0]] EndFunc ;==> _GetNameByFullPath ( ) Func _TalkOBJ($s_text)
Local $o_speech = ObjCreate("SAPI.SpVoice")$o_speech.Speak($s_text)$o_speech = ""EndFunc

Do I have an infected copy or something? lol

Edited by xJSLRx

##### Share on other sites

Just ran your script on mine and im not getting anything happening. checked out the TCP/IP connections in ProcessExplorer.

As far as im aware it doesnt have an update function in scite either. strange.....

http://twentylinesofcode.blogspot.comLittle apps n crap. can be fun

##### Share on other sites

As far as im aware it doesnt have an update function in scite either. strange.....

and you see Check the SciTE4AutoIt3 Homepage for Updates http://www.autoitscript.com/autoit3/scite

Last Update : 2/28/2010

Edited by wakillon

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

##### Share on other sites

aah touche

Maybe this is the source?

But just running the script without going to the about dialog box doesn't make any TCP/IP connections is what I was saying.

http://twentylinesofcode.blogspot.comLittle apps n crap. can be fun

##### Share on other sites

aah touche

Maybe this is the source?

But just running the script without going to the about dialog box doesn't make any TCP/IP connections is what I was saying.

You're right, i don't see any attempt to access internet !

xJSLRx should show ZA message to be sure...

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

##### Share on other sites

You're right, i don't see any attempt to access internet !

xJSLRx should show ZA message to be sure...

It's basically what I put as the topic title. something about SciTE attempting to access the trusted zone and making repeated requests to my dns server.

I'm beginning to think I might have a modified udf.... And that it's probably spyware but then again who wan't to see me fiddle with a script editor for hours on end?

##### Share on other sites

Here's the image of the warning I keep getting.

Edited by xJSLRx

##### Share on other sites

It's basically what I put as the topic title. something about SciTE attempting to access the trusted zone and making repeated requests to my dns server.

I'm beginning to think I might have a modified udf.... And that it's probably spyware but then again who wan't to see me fiddle with a script editor for hours on end?

Ip : 209.18.47.61 is located to :

OrgId: RRMA

City: Herndon

StateProv: VA

PostalCode: 20171

Country: US

RegDate:

Updated: 2011-01-05

Comment: Allocations for this OrgID serve Road Runner residential customers out of the Columbus, OH, Herndon, VA and Raleigh, NC RDCs.

9.1209.18.47.618.47.61

May be your Internet Service Providers ?

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

##### Share on other sites

Weird.. I live in south texas and my dns server is only 17-18 miles away. Why would SciTE try to make contact to the area in your image...

Edited by xJSLRx

##### Share on other sites

Weird.. I live in south texas and my dns server is only 17-18 miles away. Why would SciTE try to make contact to the area in your image...

yes it's strange !

Where have you got scite installer ?

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

##### Share on other sites

yes it's strange !

Where have you got scite installer ?

SciTE came from here but a lot of my udf's came from shady sites. I wouldn't doubt my PC is pretty much just plain "INFECTED" cause I can just imagine how easy It would be writing a script what mod's udf's to do stuff you wouldn't wan't.

I'll have download a brand spankin new copy of scite and make a copy of my "Includes" before replacing them, then I can test to see if it really was my udf's or something even BIGGER

Edit: bunch of spelling errors...

Edited by xJSLRx

##### Share on other sites

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

##### Share on other sites

Even the script obfuscater tries to make contact. This definitely rules out the udf theory and opens a whole new spectrum of though...

Did scite recently come out with a usage monitoring feedback system?

Edit: I have Microsoft security essentials but I don't think its very good.

Edited by xJSLRx

##### Share on other sites

Even the script obfuscater tries to make contact. This definitely rules out the udf theory and opens a whole new spectrum of though...

Did scite recently come out with a usage monitoring feedback system?

Edit: I have Microsoft security essentials but I don't think its very good.

No feedback system, it must be a spyware !

Microsoft security essentials must be too light !

Take a security Suite more reliable ...like KIS...

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

##### Share on other sites

Your image shows that AutoIt3.exe is trying something, not SciTE nor Obfuscator.

So how is AutoIt3.exe ran ?

By the way, SciTE4AutoIt3 has a option to check for updates but that is switched off by default. When Switched on, Autoit3Wrapper.exe will perform the check.

Jos

au3.properties that contain the switch for updates checking:

# SciTE settings for AutoIt v3

#

# February 26, 2010 - Jos

#

#

# *** Specify here your AutoIt program directory ***

autoit3dir=C:\Program Files (x86)\AutoIt3

openpath.$(au3)=$(autoit3dir)\include

openpath.beta.$(au3)=$(autoit3dir)\beta\include

au3=*.au3

filter.au3=AutoIt (au3)|$(au3)| lexer.$(au3)=au3

#define the number of backup files you want to keep 0=none

backup.files=0

#define if you want AutoIt3Wrapper to check once every day for available updates for SciTE4AutoIt3

Edited by Jos

Live for the present,
Dream of the future,
Learn from the past.

##### Share on other sites

@Jos

I have made the change in au3.properties for check for update and restart Scite

but it doesn't try to acces internet...

Edited by wakillon

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

##### Share on other sites

Just out of curiosity the OP could post a list of all the files that are #Included. I have a solid hunch the problem will be in there.

George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

##### Share on other sites

When you have the Full installer loaded and AutoIt3Wrapper is run during a Compile-RUN etc, it will run a CheckForUpdates() udf once a day when:

If SendSciTE_GetInfo($My_Hwnd,$SciTE_hwnd, "askproperty:check.updates.scite4autoit3") = 1 Then
If IniRead($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', '') <> _NowDate() Then CheckForUpdates() IniWrite($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', _NowDate())
EndIf
EndIf

Which will retrieve the following file for the Website:

$rc = InetGet('http://www.autoitscript.com/autoit3/scite/download/scite4autoit3version.ini',$SciTE_Dir & "\scite4autoit3versionWeb.ini", 16, 1)

Jos

Edited by Jos

Live for the present,
Dream of the future,
Learn from the past.

##### Share on other sites

When you have the Full installer loaded and AutoIt3Wrapper is run during a Compile-RUN etc, it will run a CheckForUpdates() udf once a day when:

If SendSciTE_GetInfo($My_Hwnd,$SciTE_hwnd, "askproperty:check.updates.scite4autoit3") = 1 Then
If IniRead($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', '') <> _NowDate() Then CheckForUpdates() IniWrite($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', _NowDate())
EndIf
EndIf

Which will retrieve the following file for the Website:

$rc = InetGet('http://www.autoitscript.com/autoit3/scite/download/scite4autoit3version.ini',$SciTE_Dir & "\scite4autoit3versionWeb.ini", 16, 1)

Jos

Im sorry for the late reply but last night after I compiled my program, every time I run any compiled program I make, It automatically tries to access the IP address I mentioned earlier! This is very strange, I'm not concerned about my privacy because my PC is not very private. On another note, This morning I have noticed that the balloon's that popup warning about the internet connection just go away after about half a second, What I think may be happening is there may be another program waiting for these popups and then just clicking accept. I think it may be possible that I have a "RAT" on my PC.

I've been trying to take a screen shot of the popup that say's Scite, a centilla (Not sure how its spelled...) based script editor is trying to access the internet which is a different popup than the one in my picture above, not only that but it says the obfuscater and any program I make keeps doing the same thing.. It may be very possible that 209.18.47.61 is using my PC to DDoS sites etc, I say this because I have been fire-walled from HF and several msc sites. So my conclusion is I "AM" infected.

I am going to boot into Maverick and use V-box to investigate my SciTE install, It would be nice if there were a program that could tell you the difference between two similar files. Like file size etc.

I'll just have to download a fresh SciTE and compare them manually.

Edited by xJSLRx

##### Share on other sites

check post 16 (and 17 for the MVP answer, naturally). If those keys are there I would not think it is your exe or Scite, just your browser and when something invokes it the calls are being made.

but I have been wronger.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | -' | | -. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | --. | |) \ | |
-' |_| (_) | |\/| | -' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)`

## Create an account

Register a new account

• ### Recently Browsing   0 members

×

• Wiki

• Back

• #### Beta

• Git
• FAQ
• Our Picks
×
• Create New...