bullet Posted March 1, 2005 Share Posted March 1, 2005 I think that my machine is infected with some sort of undetecable spyware. If I open a command prompt and run the netstat -a command it displays all of the active ports on my computer. On 6 ports there is an entry of ads.rediff.com and it is listening. I have ran a full AdAware scan, and ran HiJack this neither could find anything to do with this ads.rediff.com thing. I even searched the registry for "rediff" and could not find a single entry. However, it still remains. I am not sure if this is realated or not but there is a huge blank space in my add/remove programs list. It is probably about 100 pages long. I am not sure if the blank space is causing the listening ports of not. I can't get rid of it either. If anyone has any idea then please help. Thanks Link to comment Share on other sites More sharing options...
raskren Posted March 1, 2005 Share Posted March 1, 2005 Is the state "Listening" or "Time_Wait"?You probably visited a website with an ad that was hosted on ads.rediff.com. Restart the computer and run netstat again to see if ads.rediff.com still exists. If it does, or the state is "Listening" then there could be something there. Link to comment Share on other sites More sharing options...
bullet Posted March 1, 2005 Author Share Posted March 1, 2005 I've restarted and the entry still exists. It's state is "Listening" FYI: The O.S is fully up to date Link to comment Share on other sites More sharing options...
raskren Posted March 1, 2005 Share Posted March 1, 2005 I've restarted and the entry still exists. It's state is "Listening" FYI: The O.S is fully up to date<{POST_SNAPBACK}>Don't forget "up to date" doesn't mean "secure." Do you have any anti-spyware apps installed? MS Antispyware?If you're running XP SP2 check the Windows Firewall exception list for anything you don't recognize. Do you currently use any ad supported software?Finally, check msconfig for suspicious non-Microsoft services as well as suspicious startup items.P.S. The data for Add/Remove programs is in the registry. I'll see if I can dig it up. Link to comment Share on other sites More sharing options...
raskren Posted March 1, 2005 Share Posted March 1, 2005 Ooops, double post. Link to comment Share on other sites More sharing options...
firefoxthebomb Posted March 1, 2005 Share Posted March 1, 2005 Download MS Antisypware and install and run it. Remove anything it finds. Also run like registry mechanic on your registry to look for errors to try and clean up those spaces. Then let us know what you found. Link to comment Share on other sites More sharing options...
bullet Posted March 1, 2005 Author Share Posted March 1, 2005 The only ad supported software that I have installed is Opera. I will try the MS antispyware and registry mechanic. Link to comment Share on other sites More sharing options...
Weazle Posted March 3, 2005 Share Posted March 3, 2005 In Xp Sp2 there is a new optionnetstat -b this displays the process too So you can see wich process is making which connection Link to comment Share on other sites More sharing options...
bullet Posted March 3, 2005 Author Share Posted March 3, 2005 I install the MS AntiSpyware and it didn't find anything related to my problem. Installed Registry Mechanic and even though it is a neat little program it didn't help either. I still have the big gap in my add/remove programs list and I still have the ads.rediff.com Listening on various ports. The netstat -b shows Active connections and it did not show any of the ads.rediff.com ports so at least they are not constantly active. Who knows.Does anyone have any more ideas? Link to comment Share on other sites More sharing options...
Weazle Posted March 4, 2005 Share Posted March 4, 2005 Maybe you can make a Hijacked Logfile and post it here.I 'll take a look at it thenYou can download Hijacked on this linkDon't delete everything in the hijacked log that you find!! because there are always a lot of things that may not be deleted Link to comment Share on other sites More sharing options...
bullet Posted March 4, 2005 Author Share Posted March 4, 2005 Here is my HiJack LogLogfile of HijackThis v1.97.7Scan saved at 9:06:26 AM, on 3/4/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\NetSupport Manager\Client32.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Symantec AntiVirus\SavRoam.exeC:\WINDOWS\System32\snmp.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\TIREMOTE\wuser32.exeC:\WINDOWS\TIREMOTE\TIRemoteService.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\SoundMAX\SMTray.exeC:\WINDOWS\system32\ICO.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\FSRremoS.EXEC:\PROGRA~1\SYMANT~1\VPTray.exeC:\WINDOWS\system32\atiptaxx.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Intuit\Track-It! 6.5\Technician Client\TIWin.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Documents and Settings\bwinchester.TBCNET\Desktop\HiJack\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://srv1/companyhome/default.aspR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://srv1/companyhome/default.aspR1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exeO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXEO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [AtiPTA] atiptaxx.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)O9 - Extra button: Research (HKLM)O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)O11 - Options group: [JAVA_IBM] Java (IBM)O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cabO16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38396.5100810185O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{69BFF62B-997A-4644-B5CE-64BB7F5D3123}: NameServer = 192.168.71.101Attached is a screen shot of the netstat -a command for those who think I am full of crap. Link to comment Share on other sites More sharing options...
Weazle Posted March 17, 2005 Share Posted March 17, 2005 Sorry for the late responseappearantly I forgot to check Email notificationthe hijacked is already out of date Please download a newer version hereMake a scan and post the scan in the analyse tool on this link: http://hijackthis.de/ Link to comment Share on other sites More sharing options...
bullet Posted March 17, 2005 Author Share Posted March 17, 2005 Nevermind about this problem. It gave me a good reason to use my unattend CD. Thanks for trying. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now