determining if a system has spy ware on it

[no one]

Hi,

I have a home PC connected to the Internet. I run Norton anti virus
version 7 or 8 and it is up to date. I also run ad aware and spy bot
search and destroy. All come up clean.

However, When I log in it seems to take longer on one of my systems for
the explorer bar to come up and be active. Could I have a root kit and
not know it?

Just wondering?

 

[Duane Arnold]

Hi,

I have a home PC connected to the Internet. I run Norton anti virus
version 7 or 8 and it is up to date. I also run ad aware and spy bot
search and destroy. All come up clean.

However, When I log in it seems to take longer on one of my systems for
the explorer bar to come up and be active. Could I have a root kit and
not know it?

Just wondering?

You can use the tools in the link.

Long

http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

Duane

 

[steve]

Hi,

I have a home PC connected to the Internet. I run Norton anti virus
version 7 or 8 and it is up to date. I also run ad aware and spy bot
search and destroy. All come up clean.

In my experience a full scan at the Microsoft service
http://safety.live.com/site/en-US/default.htm works better than all
the other scanners put together. The only problem is that it takes
hours to run.

 

[David H. Lipman]

From: <[email protected]>

|
| In my experience a full scan at the Microsoft service
| http://safety.live.com/site/en-US/default.htm works better than all
| the other scanners put together. The only problem is that it takes
| hours to run.
|

You either an employee of Microsoft or are making a joke.

Microsoft has one of the WORST malware catch rates in the anti virus Industry !

Now that Microsoft is on Virus Total, anyone can find that out for themselves by testing
known samples.

Here is a quick test. Three files I had previously submitted to Microsoft so they SHOULD
detect the samples. The file SVCHOST.EXE was submitted Mid March to Microsoft !

taskdir.exe
---------
AntiVir 6.34.1.27 05.09.2006 TR/Dldr.Agent.G.1
Avast 4.6.695.0 05.08.2006 Win32:Trojano-CT
AVG 386 05.08.2006 Downloader.Generic.YVG
BitDefender 7.2 05.09.2006 no virus found
CAT-QuickHeal 8.00 05.09.2006 no virus found
ClamAV devel-20060426 05.09.2006 no virus found
DrWeb 4.33 05.09.2006 Trojan.Spambot
eTrust-InoculateIT 23.72.3 05.09.2006 no virus found
eTrust-Vet 12.4.2201 05.09.2006 Win32/Sinteri
Ewido 3.5 05.09.2006 Trojan.Small
Fortinet 2.76.0.0 05.09.2006 W32/Tibs.MM!tr
F-Prot 3.16c 05.09.2006 security risk named W32/Tibs.MM
Ikarus 0.2.65.0 05.09.2006 no virus found
Kaspersky 4.0.2.24 05.09.2006 Packed.Win32.Tibs
McAfee 4757 05.08.2006 Downloader-ZQ
Microsoft 1.1372 05.09.2006 no virus found
Norman 5.90.17 05.09.2006 no virus found
Panda 9.0.0.4 05.09.2006 Trj/Alanchum.L
Sophos 4.05.0 05.09.2006 no virus found
Symantec 8.0 05.09.2006 Trojan.Abwiz
TheHacker 5.9.7.140 05.08.2006 no virus found
UNA 1.83 05.06.2006 no virus found
VBA32 3.11.0 05.08.2006 Trojan.Spambot


atmclk2.exe
--------------
AntiVir 6.34.1.27 05.09.2006 TR/Agent.JN.1
Avast 4.6.695.0 05.08.2006 no virus found
AVG 386 05.08.2006 Downloader.Zlob.YI
BitDefender 7.2 05.09.2006 Trojan.Agent.JN
CAT-QuickHeal 8.00 05.09.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 05.09.2006 no virus found
DrWeb 4.33 05.09.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.3 05.09.2006 no virus found
eTrust-Vet 12.4.2201 05.09.2006 no virus found
Ewido 3.5 05.09.2006 Downloader.Zlob.mw
Fortinet 2.76.0.0 05.09.2006 W32/Zlob.MW!tr.dldr
F-Prot 3.16c 05.09.2006 destructive program named W32/Trojan.CLE
Ikarus 0.2.65.0 05.09.2006 Trojan-Downloader.Win32.Zlob.mw
Kaspersky 4.0.2.24 05.09.2006 Trojan-Downloader.Win32.Zlob.mw
McAfee 4757 05.08.2006 Puper
Microsoft 1.1372 05.09.2006 no virus found
NOD32v2 1.1527 05.09.2006 no virus found
Norman 5.90.17 05.09.2006 no virus found
Panda 9.0.0.4 05.09.2006 Adware/SecurityError
Sophos 4.05.0 05.09.2006 Troj/Zlob-IM
Symantec 8.0 05.09.2006 no virus found
TheHacker 5.9.7.140 05.08.2006 no virus found
UNA 1.83 05.06.2006 TrojanDownloader.Win32.Zlob
VBA32 3.11.0 05.08.2006 Trojan.Popuper

svchost.exe
-------------
AntiVir 6.34.1.27 05.09.2006 TR/PSW.PdPi.CT.1.C
Avast 4.6.695.0 05.08.2006 Win32:LdPinch-S
AVG 386 05.08.2006 PSW.Generic.TQZ
BitDefender 7.2 05.09.2006 Trojan.PWS.PdPinch.CT
CAT-QuickHeal 8.00 05.09.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 05.09.2006 no virus found
DrWeb 4.33 05.09.2006 Trojan.PWS.LDPinch.800
eTrust-InoculateIT 23.72.3 05.09.2006 Win32/SillyDL.5kp!Trojan
eTrust-Vet 12.4.2201 05.09.2006 Win32/LdPinch.BA
Ewido 3.5 05.09.2006 Trojan.PdPinch.ct
Fortinet 2.76.0.0 05.09.2006 W32/LdPinch.FH!pws
F-Prot 3.16c 05.09.2006 destructive program named W32/Trojan.BFP
Ikarus 0.2.65.0 05.09.2006 Trojan-PSW.Win32.PdPinch.CT
Kaspersky 4.0.2.24 05.09.2006 Trojan-PSW.Win32.PdPinch.ct
McAfee 4757 05.08.2006 PWS-LDPinch
Microsoft 1.1372 05.09.2006 no virus found
NOD32v2 1.1527 05.09.2006 no virus found
Norman 5.90.17 05.09.2006 W32/PdPinch.DA
Panda 9.0.0.4 05.09.2006 Adware/Adsmart
Sophos 4.05.0 05.09.2006 Troj/LdPinch-FH
Symantec 8.0 05.09.2006 Infostealer
TheHacker 5.9.7.140 05.08.2006 Trojan/PSW.PdPinch.ct
UNA 1.83 05.06.2006 Trojan.PSW.Win32.PdPinch
VBA32 3.11.0 05.08.2006 Trojan-PSW.Win32.PdPinch.ct

 

[steve]

From: <[email protected]>

|
| In my experience a full scan at the Microsoft service
| http://safety.live.com/site/en-US/default.htm works better than all
| the other scanners put together. The only problem is that it takes
| hours to run.
|

You either an employee of Microsoft or are making a joke.

Neither.

Microsoft has one of the WORST malware catch rates in the anti virus Industry !

OK, it's a virus group but we were talking spyware.

The reason I rate the Microsoft scanner is that it detected
klgepmth.xiv before opening the door to lots of spyware. Many of the
other scanners still don't detect it.

 

[Art]

From: <[email protected]>

|
| In my experience a full scan at the Microsoft service
| http://safety.live.com/site/en-US/default.htm works better than all
| the other scanners put together. The only problem is that it takes
| hours to run.
|

You either an employee of Microsoft or are making a joke.

Microsoft has one of the WORST malware catch rates in the anti virus Industry !

Hey, the site offers a registry cleaner. I figured MS might be at
least able to do that right. So far so good. My Win 2K PC survived
the registry cleanup, and if I strech my imagination and wishful
thinking enough, it might have even improved performance a bit.



Art
http://home.epix.net/~artnpeg

 

[no one]

You can use the tools in the link.

Long

http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html


Short

http://tinyurl.com/klw1

Duane

I just looked at the firewall log of my router, for a different system
in my house I see a connection when no one was on the system.

What does anyone make of this?
Here is my firewall log
--------------------------
2006-05-08 23:36:41 TCP from 192.168.0.45:1808 to
204.176.49.2(204.176.49.2):80
....
2006-05-08 23:39:29 TCP from 192.168.0.45:1809 to
204.176.49.116:8000
....
2006-05-08 23:51:44 TCP from 192.168.0.45:1810 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 00:06:47 TCP from 192.168.0.45:1811 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 00:21:49 TCP from 192.168.0.45:1812 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 00:36:53 TCP from 192.168.0.45:1813 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 00:39:37 TCP from 192.168.0.45:1814 to
204.176.49.116(204.176.49.116):8000
....
2006-05-09 01:06:58 TCP from 192.168.0.45:1816 to
204.176.49.2:80
....
2006-05-09 01:22:01 TCP from 192.168.0.45:1817 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 01:37:02 TCP from 192.168.0.45:1818 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 01:39:41 TCP from 192.168.0.45:1819 to
204.176.49.116(204.176.49.116):8000
....
2006-05-09 01:39:42 1819/TCP from 204.176.49.116:8000 to
192.168.0.45:1819 Invalid TCP packet received, dropping packet
....
2006-05-09 01:52:04 TCP from 192.168.0.45:1820 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 02:07:07 TCP from 192.168.0.45:1821 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 02:22:09 TCP from 192.168.0.45:1822 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 02:37:11 TCP from 192.168.0.45:1823 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 02:39:47 TCP from 192.168.0.45:1824 to
204.176.49.116:8000
....
2006-05-09 02:52:14 TCP from 192.168.0.45:1825 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 03:07:16 TCP from 192.168.0.45:1826 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 03:22:19 TCP from 192.168.0.45:1827 to
204.176.49.2:80
....
2006-05-09 03:26:08 TCP from 192.168.0.45:1828 to
204.176.49.116(204.176.49.116):8000
....
2006-05-09 03:37:22 TCP from 192.168.0.45:1829 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 03:39:52 TCP from 192.168.0.45:1830 to
204.176.49.116(204.176.49.116):8000
....
2006-05-09 03:52:23 TCP from 192.168.0.45:1831 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 04:07:26 TCP from 192.168.0.45:1832 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 04:22:28 TCP from 192.168.0.45:1833 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 04:37:30 TCP from 192.168.0.45:1834 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 04:39:58 TCP from 192.168.0.45:1835 to
204.176.49.116:8000
....
2006-05-09 04:52:33 TCP from 192.168.0.45:1836 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 05:07:35 TCP from 192.168.0.45:1837 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 05:22:38 TCP from 192.168.0.45:1838 to
204.176.49.2(204.176.49.2):80
....
2006-05-09 05:37:41 TCP from 192.168.0.45:1839 to
204.176.49.2:80

 

[David H. Lipman]

From: <[email protected]>


| OK, it's a virus group but we were talking spyware.
|
| The reason I rate the Microsoft scanner is that it detected
| klgepmth.xiv before opening the door to lots of spyware. Many of the
| other scanners still don't detect it.
|

The Microsoft http://safety.live.com web site site covers all forms of malware. However,
not well.

 

[Art]

I just looked at the firewall log of my router, for a different system
in my house I see a connection when no one was on the system.

What does anyone make of this?
Here is my firewall log

<snip>

Here's a Sam Spade lookup for the destination:

Trying 204.176.49.2 at ARIN
Trying 204.176.49 at ARIN

OrgName: UUNET Technologies, Inc.
OrgID: UU
Address: 22001 Loudoun County Parkway
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US

NetRange: 204.176.0.0 - 204.179.255.255
CIDR: 204.176.0.0/14
NetName: UUNETCBLK176-179
NetHandle: NET-204-176-0-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: AUTH00.NS.UU.NET
NameServer: AUTH01.NS.UU.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1994-10-17
Updated: 2001-09-26

RTechHandle: OA12-ARIN
RTechName: UUnet Technologies, Inc., Technologies
RTechPhone: +1-800-900-0241
RTechEmail: (e-mail address removed)

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName: abuse
OrgAbusePhone: +1-800-900-0241
OrgAbuseEmail: (e-mail address removed)

OrgNOCHandle: OA12-ARIN
OrgNOCName: UUnet Technologies, Inc., Technologies
OrgNOCPhone: +1-800-900-0241
OrgNOCEmail: (e-mail address removed)

OrgTechHandle: SWIPP-ARIN
OrgTechName: swipper
OrgTechPhone: +1-800-900-0241
OrgTechEmail: (e-mail address removed)

What legit software do you have from that company that might be
calling out?

Art
http://home.epix.net/~artnpeg

 

[Art]

Is UUnet your ISP?

Art
http://home.epix.net/~artnpeg

 

[Duane Arnold]

I just looked at the firewall log of my router, for a different system
in my house I see a connection when no one was on the system.

What does anyone make of this?

You can use Arin and enter the IP(s) into the (whois search box)and find
out who the IP(s) belong to.

http://www.arin.net/index.html

If you know who the IP belongs to, you can make a determination if it's
legit or not legit.

I had a Linksys wireless network card phoning home on one of my Win XP
pro machines a long time ago, which the driver was doing the phoning home.

I used Active Ports on the machine to tell me what program was making
the connection. Then from there, I used Process Explorer to find out
what program was making the connection, which was not the actual program
that was wanting the connection.

I then used PE to look inside the running program and pin pointed it to
a NT service the driver was piggy backing off the service and I killed
the service, which was the Wireless Zero Configuration Service.

The above is an example that sometimes you're going to have to go look
for yourself.

Duane

 

[mad NAT'er]

You can use Arin and enter the IP(s) into the (whois search box)and find
out who the IP(s) belong to.

http://www.arin.net/index.html

Actually that link doesn't work. Try www.arin.net/whois

 

[Duane Arnold]

Actually that link doesn't work. Try www.arin.net/whois

Opps!

Duane

 

[Peter Seiler]

Duane - 11.05.2006 22:28 :

Opps!

Duane

for that you unnecessarely fullquote ~ 60 fullquotelines again :-(

Please, learn to quote (shorten the quote as far as possible for
example). THX in advance for your kind understanding.

 

[Gabriele Neukam]

On that special day, Duane Arnold, (""Yep-Don't-Bother\"@You-got-it-
[email protected]") said...

Opps!

If it weren't ARIN, with its two-level information system, I would
recommend using a general whois interface, program or web site, like

http://www.completewhois.com/
http://www.fr2.cyberabuse.org/whois/?page=whois_server (french)
http://www.iks-jena.de/cgi-bin/whois (german)

or the program from http://www.gena01.com/win32whois/

without them, I would be at a loss.


Gabriele Neukam

(e-mail address removed)

 

[Ernie B.]

If it weren't ARIN, with its two-level information system, I would
recommend using a general whois interface, program or web site, like

http://www.completewhois.com/
http://www.fr2.cyberabuse.org/whois/?page=whois_server (french)
http://www.iks-jena.de/cgi-bin/whois (german)

or the program from http://www.gena01.com/win32whois/

without them, I would be at a loss.


Gabriele Neukam

(e-mail address removed)

There's also Sam Spade, free from <http://www.samspade.org/ssw/> and DNS
stuff, <http://www.dnsstuff.com/>, if you're using a Mac.

 

[Duh_OZ]

Hey, the site offers a registry cleaner. I figured MS might be at
least able to do that right. So far so good. My Win 2K PC survived
the registry cleanup, and if I strech my imagination and wishful
thinking enough, it might have even improved performance a bit.

============
I tried it and it said I had 972 registry problems, this on a clean
install of W2K system about 8 months ago. 110 problems with file
associations? I cancelled out of it.

Perhaps after a few more system backups :0)