Jump to content

Recommended Posts

Posted

I think that my machine is infected with some sort of undetecable spyware. If I open a command prompt and run the netstat -a command it displays all of the active ports on my computer. On 6 ports there is an entry of ads.rediff.com and it is listening. I have ran a full AdAware scan, and ran HiJack this neither could find anything to do with this ads.rediff.com thing. I even searched the registry for "rediff" and could not find a single entry. However, it still remains.

I am not sure if this is realated or not but there is a huge blank space in my add/remove programs list. It is probably about 100 pages long. I am not sure if the blank space is causing the listening ports of not. I can't get rid of it either. If anyone has any idea then please help. Thanks


Posted

Is the state "Listening" or "Time_Wait"?

You probably visited a website with an ad that was hosted on ads.rediff.com. Restart the computer and run netstat again to see if ads.rediff.com still exists. If it does, or the state is "Listening" then there could be something there.

Posted
I've restarted and the entry still exists.  It's state is "Listening" 

FYI: The O.S is fully up to date

Don't forget "up to date" doesn't mean "secure." Do you have any anti-spyware apps installed? MS Antispyware?

If you're running XP SP2 check the Windows Firewall exception list for anything you don't recognize. Do you currently use any ad supported software?

Finally, check msconfig for suspicious non-Microsoft services as well as suspicious startup items.

P.S. The data for Add/Remove programs is in the registry. I'll see if I can dig it up.

Posted

The only ad supported software that I have installed is Opera. I will try the MS antispyware and registry mechanic.

Posted

In Xp Sp2 there is a new option

netstat -b

this displays the process too :)

So you can see wich process is making which connection

Posted

I install the MS AntiSpyware and it didn't find anything related to my problem. Installed Registry Mechanic and even though it is a neat little program it didn't help either. I still have the big gap in my add/remove programs list and I still have the ads.rediff.com Listening on various ports.

The netstat -b shows Active connections and it did not show any of the ads.rediff.com ports so at least they are not constantly active. Who knows.

Does anyone have any more ideas?

Posted

Maybe you can make a Hijacked Logfile and post it here.

I 'll take a look at it then

You can download Hijacked on this link

Don't delete everything in the hijacked log that you find!! because there are always a lot of things that may not be deleted ;)

Posted

Here is my HiJack Log

Logfile of HijackThis v1.97.7
Scan saved at 9:06:26 AM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\NetSupport Manager\Client32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Intuit\Track-It! 6.5\Technician Client\TIWin.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\bwinchester.TBCNET\Desktop\HiJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://srv1/companyhome/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://srv1/companyhome/default.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38396.5100810185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69BFF62B-997A-4644-B5CE-64BB7F5D3123}: NameServer = 192.168.71.101

Attached is a screen shot of the netstat -a command for those who think I am full of crap.

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...