determining if a system has spy ware on it

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi,

I have a home PC connected to the Internet.  I run Norton anti virus
version 7 or 8 and it is up to date.  I also run ad aware and spy bot
search and destroy.  All come up clean.

However,  When I log in it seems to take longer on one of my systems for
the explorer bar to come up and be active.  Could I have a root kit and
not know it?

Just wondering?

Re: determining if a system has spy ware on it

no one wrote:
Quoted text here. Click to load it

You can use the tools in the link.

Long

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

Duane :)

Re: determining if a system has spy ware on it

Duane Arnold > wrote:
Quoted text here. Click to load it
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
Quoted text here. Click to load it

I just looked at the firewall log of my router, for a different system
in my house I see a connection when no one was on the system.

What does anyone make of this?
Here is my firewall log
--------------------------
2006-05-08 23:36:41 TCP from 192.168.0.45:1808 to
204.176.49.2(204.176.49.2):80
...
2006-05-08 23:39:29 TCP from 192.168.0.45:1809 to
204.176.49.116:8000
...
2006-05-08 23:51:44 TCP from 192.168.0.45:1810 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 00:06:47 TCP from 192.168.0.45:1811 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 00:21:49 TCP from 192.168.0.45:1812 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 00:36:53 TCP from 192.168.0.45:1813 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 00:39:37 TCP from 192.168.0.45:1814 to
204.176.49.116(204.176.49.116):8000
...
2006-05-09 01:06:58 TCP from 192.168.0.45:1816 to
204.176.49.2:80
...
2006-05-09 01:22:01 TCP from 192.168.0.45:1817 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 01:37:02 TCP from 192.168.0.45:1818 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 01:39:41 TCP from 192.168.0.45:1819 to
204.176.49.116(204.176.49.116):8000
...
2006-05-09 01:39:42 1819/TCP from 204.176.49.116:8000 to
192.168.0.45:1819 Invalid TCP packet received, dropping packet
...
2006-05-09 01:52:04 TCP from 192.168.0.45:1820 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 02:07:07 TCP from 192.168.0.45:1821 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 02:22:09 TCP from 192.168.0.45:1822 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 02:37:11 TCP from 192.168.0.45:1823 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 02:39:47 TCP from 192.168.0.45:1824 to
204.176.49.116:8000
...
2006-05-09 02:52:14 TCP from 192.168.0.45:1825 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 03:07:16 TCP from 192.168.0.45:1826 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 03:22:19 TCP from 192.168.0.45:1827 to
204.176.49.2:80
...
2006-05-09 03:26:08 TCP from 192.168.0.45:1828 to
204.176.49.116(204.176.49.116):8000
...
2006-05-09 03:37:22 TCP from 192.168.0.45:1829 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 03:39:52 TCP from 192.168.0.45:1830 to
204.176.49.116(204.176.49.116):8000
...
2006-05-09 03:52:23 TCP from 192.168.0.45:1831 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 04:07:26 TCP from 192.168.0.45:1832 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 04:22:28 TCP from 192.168.0.45:1833 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 04:37:30 TCP from 192.168.0.45:1834 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 04:39:58 TCP from 192.168.0.45:1835 to
204.176.49.116:8000
...
2006-05-09 04:52:33 TCP from 192.168.0.45:1836 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 05:07:35 TCP from 192.168.0.45:1837 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 05:22:38 TCP from 192.168.0.45:1838 to
204.176.49.2(204.176.49.2):80
...
2006-05-09 05:37:41 TCP from 192.168.0.45:1839 to
204.176.49.2:80









Re: determining if a system has spy ware on it


Quoted text here. Click to load it

<snip>

Here's a Sam Spade lookup for the destination:

Trying 204.176.49.2 at ARIN
Trying 204.176.49 at ARIN

OrgName:    UUNET Technologies, Inc.
OrgID:      UU
Address:    22001 Loudoun County Parkway
City:       Ashburn
StateProv:  VA
PostalCode: 20147
Country:    US

NetRange:   204.176.0.0 - 204.179.255.255
CIDR:       204.176.0.0/14
NetName:    UUNETCBLK176-179
NetHandle:  NET-204-176-0-0-1
Parent:     NET-204-0-0-0-0
NetType:    Direct Allocation
NameServer: AUTH00.NS.UU.NET
NameServer: AUTH01.NS.UU.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    1994-10-17
Updated:    2001-09-26

RTechHandle: OA12-ARIN
RTechName:   UUnet Technologies, Inc., Technologies
RTechPhone:  +1-800-900-0241
RTechEmail:  help4u@mci.com

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName:   abuse
OrgAbusePhone:  +1-800-900-0241
OrgAbuseEmail:  abuse-mail@mci.com

OrgNOCHandle: OA12-ARIN
OrgNOCName:   UUnet Technologies, Inc., Technologies
OrgNOCPhone:  +1-800-900-0241
OrgNOCEmail:  help4u@mci.com

OrgTechHandle: SWIPP-ARIN
OrgTechName:   swipper
OrgTechPhone:  +1-800-900-0241
OrgTechEmail:  swipper@mci.com

What legit software do you have from that company that might be
calling out?

Art
http://home.epix.net/~artnpeg


Re: determining if a system has spy ware on it



Quoted text here. Click to load it

Is UUnet your ISP?

Art
http://home.epix.net/~artnpeg


Re: determining if a system has spy ware on it

no one wrote:
Quoted text here. Click to load it


You can use Arin and enter the IP(s) into the (whois search box)and find
out who the IP(s) belong to.

http://www.arin.net/index.html

If you know who the IP belongs to, you can make a determination if it's
legit or not legit.

I had a Linksys wireless network card phoning home on one of my Win XP
pro machines a long time ago, which the driver was doing the phoning home.

I used Active Ports on the machine to tell me what program was making
the connection. Then from there, I used Process Explorer to find out
what program was making the connection, which was not the actual program
that was wanting the connection.

I then used PE to look inside the running program and pin pointed it to
a NT service the driver was piggy backing off the service and I killed
the service, which was the Wireless Zero Configuration Service.

The above is an example that sometimes you're going to have to go look
for yourself.

Duane :)

Re: determining if a system has spy ware on it

Quoted text here. Click to load it

Actually that link doesn't work.  Try  www.arin.net/whois



Re: determining if a system has spy ware on it

mad NAT'er wrote:
Quoted text here. Click to load it

Opps!

Duane :)

Re: determining if a system has spy ware on it

Duane - 11.05.2006 22:28 :

Quoted text here. Click to load it

for that you unnecessarely fullquote ~ 60 fullquotelines again :-(

Please, learn to quote (shorten the quote as far as possible for
example). THX in advance for your kind understanding.

--
by(e) PS
spam will be killed


Re: determining if a system has spy ware on it

On that special day, Duane Arnold, (""Yep-Don't-Bother\"@You-got-it-
right@.BET") said...

Quoted text here. Click to load it

If it weren't ARIN, with its two-level information system, I would
recommend using a general whois interface, program or web site, like

http://www.completewhois.com /
http://www.fr2.cyberabuse.org/whois/?page=whois_server (french)
http://www.iks-jena.de/cgi-bin/whois (german)

or the program from http://www.gena01.com/win32whois/

without them, I would be at a loss.
 

Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: determining if a system has spy ware on it

On Fri, 12 May 2006 18:28:44 +0200 Gabriele Neukam wrote:

Quoted text here. Click to load it
There's also Sam Spade, free from <http://www.samspade.org/ssw/ and DNS
stuff, <http://www.dnsstuff.com/ , if you're using a Mac.
--
Ernie B.

Communication:  The art of moving an idea from one mind to another,
hopefully without distortion.

Re: determining if a system has spy ware on it


Quoted text here. Click to load it

In my experience a full scan at the Microsoft service
http://safety.live.com/site/en-US/default.htm works better than all
the other scanners put together. The only problem is that it takes
hours to run.

--
Steve Wolstenholme     Neural Planner Software

EasyNN-plus. The easy way to build neural networks.
http://www.easynn.com

Re: determining if a system has spy ware on it


|
| In my experience a full scan at the Microsoft service
| http://safety.live.com/site/en-US/default.htm works better than all
| the other scanners put together. The only problem is that it takes
| hours to run.
|

You either an employee of Microsoft or are making a joke.

Microsoft has one of the WORST malware catch rates in the anti virus Industry !

Now that Microsoft is on Virus Total, anyone can find that out for themselves by
testing
known samples.

Here is a quick test.  Three files I had previously submitted to Microsoft so
they SHOULD
detect the samples.  The file SVCHOST.EXE was submitted Mid March to Microsoft !

taskdir.exe
---------
AntiVir 6.34.1.27 05.09.2006 TR/Dldr.Agent.G.1
Avast 4.6.695.0 05.08.2006 Win32:Trojano-CT
AVG 386 05.08.2006 Downloader.Generic.YVG
BitDefender 7.2 05.09.2006  no virus found
CAT-QuickHeal 8.00 05.09.2006  no virus found
ClamAV devel-20060426 05.09.2006  no virus found
DrWeb 4.33 05.09.2006 Trojan.Spambot
eTrust-InoculateIT 23.72.3 05.09.2006  no virus found
eTrust-Vet 12.4.2201 05.09.2006 Win32/Sinteri
Ewido 3.5 05.09.2006 Trojan.Small
Fortinet 2.76.0.0 05.09.2006 W32/Tibs.MM!tr
F-Prot 3.16c 05.09.2006 security risk named W32/Tibs.MM
Ikarus 0.2.65.0 05.09.2006  no virus found
Kaspersky 4.0.2.24 05.09.2006 Packed.Win32.Tibs
McAfee 4757 05.08.2006 Downloader-ZQ
Microsoft 1.1372 05.09.2006  no virus found
Norman 5.90.17 05.09.2006  no virus found
Panda 9.0.0.4 05.09.2006 Trj/Alanchum.L
Sophos 4.05.0 05.09.2006  no virus found
Symantec 8.0 05.09.2006 Trojan.Abwiz
TheHacker 5.9.7.140 05.08.2006  no virus found
UNA 1.83 05.06.2006  no virus found
VBA32 3.11.0 05.08.2006 Trojan.Spambot


atmclk2.exe
--------------
AntiVir 6.34.1.27 05.09.2006 TR/Agent.JN.1
Avast 4.6.695.0 05.08.2006  no virus found
AVG 386 05.08.2006 Downloader.Zlob.YI
BitDefender 7.2 05.09.2006 Trojan.Agent.JN
CAT-QuickHeal 8.00 05.09.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 05.09.2006  no virus found
DrWeb 4.33 05.09.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.3 05.09.2006  no virus found
eTrust-Vet 12.4.2201 05.09.2006  no virus found
Ewido 3.5 05.09.2006 Downloader.Zlob.mw
Fortinet 2.76.0.0 05.09.2006 W32/Zlob.MW!tr.dldr
F-Prot 3.16c 05.09.2006 destructive program named W32/Trojan.CLE
Ikarus 0.2.65.0 05.09.2006 Trojan-Downloader.Win32.Zlob.mw
Kaspersky 4.0.2.24 05.09.2006 Trojan-Downloader.Win32.Zlob.mw
McAfee 4757 05.08.2006 Puper
Microsoft 1.1372 05.09.2006  no virus found
NOD32v2 1.1527 05.09.2006  no virus found
Norman 5.90.17 05.09.2006  no virus found
Panda 9.0.0.4 05.09.2006 Adware/SecurityError
Sophos 4.05.0 05.09.2006 Troj/Zlob-IM
Symantec 8.0 05.09.2006  no virus found
TheHacker 5.9.7.140 05.08.2006  no virus found
UNA 1.83 05.06.2006 TrojanDownloader.Win32.Zlob
VBA32 3.11.0 05.08.2006 Trojan.Popuper

svchost.exe
-------------
AntiVir 6.34.1.27 05.09.2006 TR/PSW.PdPi.CT.1.C
Avast 4.6.695.0 05.08.2006 Win32:LdPinch-S
AVG 386 05.08.2006 PSW.Generic.TQZ
BitDefender 7.2 05.09.2006 Trojan.PWS.PdPinch.CT
CAT-QuickHeal 8.00 05.09.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 05.09.2006  no virus found
DrWeb 4.33 05.09.2006 Trojan.PWS.LDPinch.800
eTrust-InoculateIT 23.72.3 05.09.2006 Win32/SillyDL.5kp!Trojan
eTrust-Vet 12.4.2201 05.09.2006 Win32/LdPinch.BA
Ewido 3.5 05.09.2006 Trojan.PdPinch.ct
Fortinet 2.76.0.0 05.09.2006 W32/LdPinch.FH!pws
F-Prot 3.16c 05.09.2006 destructive program named W32/Trojan.BFP
Ikarus 0.2.65.0 05.09.2006 Trojan-PSW.Win32.PdPinch.CT
Kaspersky 4.0.2.24 05.09.2006 Trojan-PSW.Win32.PdPinch.ct
McAfee 4757 05.08.2006 PWS-LDPinch
Microsoft 1.1372 05.09.2006  no virus found
NOD32v2 1.1527 05.09.2006  no virus found
Norman 5.90.17 05.09.2006 W32/PdPinch.DA
Panda 9.0.0.4 05.09.2006 Adware/Adsmart
Sophos 4.05.0 05.09.2006 Troj/LdPinch-FH
Symantec 8.0 05.09.2006 Infostealer
TheHacker 5.9.7.140 05.08.2006 Trojan/PSW.PdPinch.ct
UNA 1.83 05.06.2006 Trojan.PSW.Win32.PdPinch
VBA32 3.11.0 05.08.2006 Trojan-PSW.Win32.PdPinch.ct


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: determining if a system has spy ware on it

On Tue, 09 May 2006 16:10:02 GMT, "David H. Lipman"

Quoted text here. Click to load it

Neither.


OK, it's a virus group but we were talking spyware.

The reason I rate the Microsoft scanner is that it detected
klgepmth.xiv before opening the door to lots of spyware. Many of the
other scanners still don't detect it.

--
Steve Wolstenholme     Neural Planner Software

EasyNN-plus. The easy way to build neural networks.
http://www.easynn.com

Re: determining if a system has spy ware on it



| OK, it's a virus group but we were talking spyware.
|
| The reason I rate the Microsoft scanner is that it detected
| klgepmth.xiv before opening the door to lots of spyware. Many of the
| other scanners still don't detect it.
|

The Microsoft http://safety.live.com web site site covers all forms of malware.
However,
not well.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: determining if a system has spy ware on it

On Tue, 09 May 2006 16:10:02 GMT, "David H. Lipman"

Quoted text here. Click to load it

Hey, the site offers a registry cleaner. I figured MS might be at
least able to do that right. So far so good. My Win 2K PC survived
the registry cleanup, and if I strech my imagination and wishful
thinking enough, it might have even improved performance a bit.

:)

Art
http://home.epix.net/~artnpeg


Re: determining if a system has spy ware on it


Art wrote:
Quoted text here. Click to load it

============
I tried it and it said I had 972 registry problems, this on a clean
install of  W2K system about 8 months ago.   110 problems with file
associations?   I cancelled out of it.

Perhaps after a few more system backups :0)


Site Timeline