Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: AleKx on April 04, 2008, 10:02:07 AM
-
Greetings.
I formatted my C: drive 3 days ago and re-installed Windows XP. I'm also behind a router, and I run Avast!. Not two hours after the fresh installation, I checked the status of netstat and found one address constantly listening to certain ports. At first I thought it was normal, considering Avast! has a Network Shield and Web Shield and an Email shield etc... But then I uninstalled Avast!, to see if the listening host would leave, expecting it too, if indeed that IP is used by Avast! to run the Shields or whatever, but no. Even after uninstalling Avast! completely, (Also cleaning my cache's and temp files) the host was still listening. This got me more then intrigued. There's also the fact that it was the same IP.
I did a Network Lookup on the host/IP with http://network-tools.com/ for the IP that was listening. Here's what I got.
I also want to mention that I have a DSL modem, and I tried changing my IP by resetting the modem (which worked), but the IP was still listening...
IP address: 151.32.25.54
Host name: ppp-54-25.32-151.iol.it
Then, I googled the IP itself (151.32.25.54) and there's only one query reply. It's a website with a blacklist, containing IP addresses. Guess which IP is on the blacklist, 151.32.25.54 - Try it yourself, open up a browser, and google the IP: "151.32.25.54".
At this point my worries aren't lessening in any way. I downloaded X-Netstat, and the program would detect EVERY connection but that one. I then tried NetStat Agent, the program would also detect EVERY connection but that one, 151.32.25.54.
The IP is listening on very sensitive ports, which are very common for worms or trojans. One of them is a very well know virus called Blaster, and coindently, the IP is using the same port many trojans would use, and the IP is also using processes, which was even scarier. Here's what I found in Netstat -ab (to find out the PID and process the connection is or might be using).
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.
C:\DOCUME~1\ADMINI~1>netstat -ab
Active Connections
Proto Local Address Foreign Address State PID
TCP box:epmap ppp-54-25.32-151.iol.it:0 LISTENING 808
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- unknown component(s) --
[svchost.exe]
TCP box:microsoft-ds ppp-54-25.32-151.iol.it:0 LISTENING 4
[System]
TCP box:2869 ppp-54-25.32-151.iol.it:0 LISTENING 1088
C:\WINDOWS\System32\httpapi.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]
TCP box:1026 ppp-54-25.32-151.iol.it:0 LISTENING 1700
[alg.exe]
TCP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12080 ppp-54-25.32-151.iol.it:0 LISTENING 1104
[ashWebSv.exe]
TCP box:12110 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12119 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12143 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:netbios-ssn ppp-54-25.32-151.iol.it:0 LISTENING 4
[System]
Here is the result of Netstat -a after Uninstalling Avast!
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP box:epmap ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:microsoft-ds ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:2869 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:1026 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:1046 localhost:1045 TIME_WAIT
TCP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12080 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12110 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12119 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12143 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:netbios-ssn ppp-54-25.32-151.iol.it:0 LISTENING
The connections are still there. Notice that it's listening on port 0, and that it's also listening on the netbios.
That being said, I would appreciate greatly if someone could shed some light on this for me. I'm here thinking it's a virus, but then if it is, why isn't Avast! catching it? But then again, if it was a virus, why would Avast! use it?
And if it isn't a virus, and it is from Avast!, why is it still there after I Uninstall?
Notice that the host-name starts with "ppp" - meaning it's either a dial-up or DSL modem. Why would a company such as Avast! use "possibly" dial-up or DSL modems? Wouldn't they use oc12's or at least a T1/T3 ?
I'm utterly confused even after doing a vast amount of research on every single piece of information I could gather. I don't expect all my questions to be answered - but if anyone could answer me this one: Why does Avast! use the ip and listen in on my ports when installed, and why does it still do it after I have uninstalled?
Thank you for taking the time to read, any help is greatly appreciated!
-
I think you have some misunderstanding of the information you are seeing ... but the there is some basis for concern although not perhaps in the way that you think.
It does appear that you have been unsuccessful in removing avast from your system. If you had been successful then avast would not still be intercepting the ports that your report shows.
How did you uninstall avast?
Have you downloaded and run the latest avast uninstall utility ((here) (http://files.avast.com/files/eng/aswclear.exe) from the avast website?
-
I used the control panel to remove Avast!
99% of programs I use don't need for you to download it's own uninstaller, it already comes with it. All my programs are safe to delete from the control panel, cleaning my temp folders and cache helps too. This is the first time I have to download a separate "uninstaller" - It's not like Avast! makes sure you know either. Thanks for the tip. I'll see if that works.
Why is the IP Avast! is using, is also on some online blacklists?
-
Ok so I re-installed Avast! to make sure no clonflicts would arise when properly uninstalling. I installed Avast! - the connections remained. I closed Avast! and ran the "aswclear.exe" - Avast!'s uninstall. And guess what, the connection is still there (even after rebooting). Except it's no longer using ashweb.exe and stuff. It's using system processes and DLL files. I think that I'm a lot more on the mark than you think. Avast! is completely uninstalled, my cache is cleaned and so are my temp folders, I also defragged my registry, my pc is super healthy.
The only possible explanation I can come up with is that Avast! can't detect the worm or virus that is trying to phone home. I's constantly listening on my ports, albeit waiting for one to open (fat chance, I'm behind a router) - but I still want to know who the hell keeps listening on my ports. This is a fresh install of windows XP, I shouldn't have any problems. Avast! uses the same IP that is STILL CONNECTED to me after uninstalling Avast!. Why?!
And why does it use system processes and .DLL files?!
This is very frustrating. I have a right to know who's listening on my ports. If a Staff member of the forums could answer? Thank you for all your help in advance to whoever is taking the time to read and help me!
Here is Netstat -ab WITH Avast! INSTALLED:
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.
C:\DOCUME~1\ADMINI~1>netstat -ab
Active Connections
Proto Local Address Foreign Address State PID
TCP box:epmap ppp-54-25.32-151.iol.it:0 LISTENING 808
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- unknown component(s) --
[svchost.exe]
TCP box:microsoft-ds ppp-54-25.32-151.iol.it:0 LISTENING 4
[System]
TCP box:2869 ppp-54-25.32-151.iol.it:0 LISTENING 1088
C:\WINDOWS\System32\httpapi.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]
TCP box:1026 ppp-54-25.32-151.iol.it:0 LISTENING 1700
[alg.exe]
TCP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12080 ppp-54-25.32-151.iol.it:0 LISTENING 1104
[ashWebSv.exe]
TCP box:12110 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12119 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12143 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:netbios-ssn ppp-54-25.32-151.iol.it:0 LISTENING 4
Here's Netstat -ab after UNINSTALLING Avast! with "aswclear.exe"
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>netstat -ab
Active Connections
Proto Local Address Foreign Address State PID
TCP box:epmap ppp-54-25.32-151.iol.it:0 LISTENING 796
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]
TCP box:microsoft-ds ppp-54-25.32-151.iol.it:0 LISTENING 4
[System]
TCP box:1028 ppp-54-25.32-151.iol.it:0 LISTENING 444
[alg.exe]
TCP box:netbios-ssn ppp-54-25.32-151.iol.it:0 LISTENING 4
[System]
TCP box:1032 localhost:1033 ESTABLISHED 1696
[firefox.exe]
TCP box:1033 localhost:1032 ESTABLISHED 1696
[firefox.exe]
TCP box:1034 localhost:1035 ESTABLISHED 1696
[firefox.exe]
TCP box:1035 localhost:1034 ESTABLISHED 1696
[firefox.exe]
UDP box:isakmp *:* 588
[lsass.exe]
UDP box:1036 *:* 908
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]
UDP box:4500 *:* 588
[lsass.exe]
UDP box:microsoft-ds *:* 4
[System]
UDP box:1900 *:* 944
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP box:ntp *:* 864
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP box:netbios-ns *:* 4
[System]
UDP box:1900 *:* 944
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP box:netbios-dgm *:* 4
[System]
UDP box:ntp *:* 864
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
-
This is the first time I have to download a separate "uninstaller" - It's not like Avast! makes sure you know either.
It's there just in case that the common Add/Remove programs failed. It's not a must have, but just if the default way failed (for any reason).
-
Clearly the IP is still there and using important processes, listening on sensitive ports. My registry is healthy, my copy of widows is legit, I just formatted not long ago, and I had installed Avast! right away.
I know 3 things.
1)Avast! uses the ip that is listening on my ports.
2)The ip is still there after completely uninstalling Avast!, and continues to listen on my ports.
3)I don't want anyone listening on my ports. If my router goes down, chances are the ports will open. Right now the host is constantly on "Listening" because my router blocks the ports.
Also - Why is avast using an IP that listens on my port - but that ip is on a BLACKLIST Google 151.32.25.54
I also tried updating some of the files that it was trying to use: WS2_32.dll and RPCRT4.dll - the host is still listening.
-
Tech said:
It's there just in case that the common Add/Remove programs failed. It's not a must have, but just if the default way failed (for any reason).
I don't mean to be rude but are you going to offer me any help with this matter?
I was expecting a little more help from a Staff member. than just "we have the uninstaller in case add/remove programs fails".
can you explain why the IP is still listening on my ports after completely uninstalling Avast! ? And why is that IP that Avast! uses on a IP Blacklist?
??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???
-
avast never uses a tracking back system.
To update, avast checks if there is an available connection each 40 seconds.
If there isn't, wait more 40 seconds to check. Checking does not take more than one second and, of course, does not use the Internet band.
If there is a connection, check for an update. If there is not any new file to download, wait 4 hours to start checking again. If there is an available update, start it and install it. Again, wait 4 hours to check the next time.
If any program is trying to 'listen' your ports, look, maybe you're infected.
avast does not do that and even less if it is uninstalled... that makes no sense at all...
-
How can I have a virus?
I installed Windows 4 days ago. CLEAN COMPUTER.
Before connecting the internet long term, I installed Avast!
I'm behind a router.
To be honest Tech you seem to have NO clue, thanks for the help though.
THE IP THAT AVAST USES FOR ASHWEB AND OTHER THINGS IS THE SAME IP THAT IS STILL LISTENING EVEN AFTER UNINSTALLING AVAST.
Please read my posts carefully, I've been on this problem ever since it started. I'm a fairly intelligent person with a good sense of logic. So far no one has been able to tell me something I don't know other than "we have aswclear.exe in case add/remove programs dont work"
>:(
If no one can help me here, I will go through the painful process of calling ISP's.
AVAST USES THIS IP
CP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
The ip STILL LISTENS ON MANY PORTS, USING VERY IMPORTANT PROCESSES, AVAST IS UNINSTALLED
-
Well that IP doesn't belong to avast, if something on your system is trying to accesst the internet over one of the ports (80 http or email, 25, 110, 119, 143) that avast redirects through a localhost proxy, the reporting software may consider that avast is connecting to that IP.
Here are my netstat results whilst on-line
Active Connections
Proto Local Address Foreign Address State PID
TCP PC1:803 PC1:0 LISTENING 1444
[outpost.exe]
TCP PC1:1025 PC1:0 LISTENING 2200
[alg.exe]
TCP PC1:12025 PC1:0 LISTENING 2084
[ashMaiSv.exe]
TCP PC1:12080 PC1:0 LISTENING 2100
[ashWebSv.exe]
TCP PC1:12110 PC1:0 LISTENING 2084
[ashMaiSv.exe]
TCP PC1:12119 PC1:0 LISTENING 2084
[ashMaiSv.exe]
TCP PC1:12143 PC1:0 LISTENING 2084
[ashMaiSv.exe]
TCP PC1:1055 PC1:1056 ESTABLISHED 1924
[firefox.exe]
TCP PC1:1056 PC1:1055 ESTABLISHED 1924
[firefox.exe]
TCP PC1:1058 PC1:1059 ESTABLISHED 1924
[firefox.exe]
TCP PC1:1059 PC1:1058 ESTABLISHED 1924
[firefox.exe]
UDP PC1:4500 *:* 876
[lsass.exe]
UDP PC1:isakmp *:* 876
[lsass.exe]
So no spurious IPs
You will also notice in your list with and without avast uninstalled there is alg (Application Layer Gateway) which isn't an avast process listrning and associated to that IP (Domain: iol.it).
-
Picture looks like you really have some malware which injecting into different processes and connecting to .it site.
-
To be honest Tech you seem to have NO clue, thanks for the help though.
In fact, seems that I do have clues...
THE IP THAT AVAST USES FOR ASHWEB AND OTHER THINGS IS THE SAME IP THAT IS STILL LISTENING EVEN AFTER UNINSTALLING AVAST.
avast does not use an IP by WebShield. WebShield works like a proxy and does not use an external IP to work. avast does not listen your ports by an IP.
Please read my posts carefully, I've been on this problem ever since it started. I'm a fairly intelligent person with a good sense of logic. So far no one has been able to tell me something I don't know other than "we have aswclear.exe in case add/remove programs dont work"
It's not a matter of good sense... but technical knowledge.
AVAST USES THIS IP
CP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
This IP is from your ISP server. ashMaiSv.exe is the avast mail provider that is listening a port (not an IP) to scan your mail.
The ip STILL LISTENS ON MANY PORTS, USING VERY IMPORTANT PROCESSES, AVAST IS UNINSTALLED
It's not correct uninstalled... ashMaiSv.exe shouldn't be even running... Did you boot after uninstalling?
-
Not really connecting, more trying to connect.
Thanks to my router I think it's preventing it from phoning home.
If indeed you two gentlemen have the same hypothesis as I do, and think that I am in fact, infected, then why - why is it that Avast!, was using that IP?
TCP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12080 ppp-54-25.32-151.iol.it:0 LISTENING 1104
[ashWebSv.exe]
TCP box:12110 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12119 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12143 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
Anyone?
-
Anyone?
Uninstall avast and these processes won't be running/listening to anything...
-
Tech stop being so silly man. HAD YOU READ ALL MY POSTS, AVAST IS UNINSTALLED, I EVEN RAN ASWCLEAR.EXE - AVAST'S OWN UNINSTALL PROGRAM
Of course I rebooted after uninstalling.
I even ran CCleaner and Registry Booster, and Registry Booster is a licensed product that I bought, CCleaner is freeware. Had you read my posts, you wouldn't have needed to ask the question, I already said that I rebooted, ran the cleaner, ran registry booster and did a registry defrag, but you seem more intent on being sarcastic with me because I was sarcastic with you (once). Understand that I am frustrated, and that by having common knowledge, I meant, knowing stuff like, what a registry is, and, rebooting after uninstalling a program like anti-virus software is important, or, don't run two anti-viruses, or firewalls at once. Give me some credit here man.
I ran aswclear.exe and removed everything. That should do the trick itself. You seem to be the only one that doesn't think it's a virus here.
Quote from: AleKx on Today at 06:09:40 PM
AVAST USES THIS IP
CP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
This IP is from your ISP server. ashMaiSv.exe is the avast mail provider that is listening a port (not an IP) to scan your mail.
You don't seem to understand this. The program is uninstalled. The IP is no longer using ashmaisv.exe with PID 480, it's using kernel32.dll, and asl.exe, and other important executable and dll files. Apparently bold characters won't work so, Avast! is completely uninstalled and the IP is still listening on ports.
No hate Tech, all <3
-
I give up to keep a serene conversation and help...
I earn nothing giving my time for free here in avast forums. I do not deserve blaming.
-
Friend, I am not blaming you for anything. I am simply stating that had you read my posts, your questions would have been answered. Any people who take the time to help here is greatly appreciated, but you were going about it the wrong way, even if you kept on trying to help. Take 5 minutes and go through my posts, it will answer many of your questions, it took me a long time to gather this information and it would be appreciated if you read it before asking me silly questions like: "Did you reboot after uninstalling"
That's all I mean. Your help is appreciated. <3
-
The reason I came on the Avast! forums for this was because the spyware I have was USING ashweb.exe
It completely by-passed Avast! even after doing a pre-boot scan.
I decided to call my ISP and I talked with 5 different technicians (I called 5 times because no one could tell me anything, I was hoping I'd land on someone that would.) And 4 out of the 5 technicians didn't know the "Netstat" command. I'm dead serious.
The first 2 technicians were clueless, and the third told me to call my D-Link router support. Which I did. I called and the technician was impolite, barely articulated, and showed no interest in helping me at all. I finally gave up with him and called my ISP again.
Technician #4 was very nice, did the best he could, but had no clue what Netstat was. How can I explain my problem to someone who doesn't even know how Netstat works.
I hung up with him and called again, and this time the technician knew what he was talking about. He asked me a series of logical questions (basically the same questions I asked myself), and we both came to the conclusion that it was spy-ware or other malicious software trying to dial home to the IP always showing up in my Netstat. Since he works for Bell, he wasn't allowed to help me with non-bell related products like Ad-Aware or any other tool that could help me, but he let me know that it was obvious that I was infected. The files infected are multiple, kernel32.dll, alg.exe to name 2, but there's plenty more. The virus is trying to dial to that IP I keep seeing, with the use of those .dll files and .exe's. It says "listening" because it's waiting on those ports it uses to connect to the IP, to open, so the files I have infected, can then download a virus.
Note that the IP was hooked on files that Avast! was using, so that's why I saw ashweb.exe related to them, and trying to connect to the IP. Avast! is also an anti-virus, it is NOT an anti-spyware. It's just a reminder that not one program will keep you completely safe.
It's very confusing when the spyware is using your anti-virus processes when you see this: TCP box:1026 ppp-54-25.32-151.iol.it:0 LISTENING 1700
[alg.exe]
TCP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12080 ppp-54-25.32-151.iol.it:0 LISTENING 1104
[ashWebSv.exe]
TCP box:12110 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12119 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
TCP box:12143 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]
Is it normal for someone to assume that the IP above is a server that ashmaisv.exe (aka Avast!) uses? I think it is.
After uninstalling Avast!...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP box:epmap ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:microsoft-ds ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:2869 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:1026 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:1046 localhost:1045 TIME_WAIT
TCP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12080 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12110 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12119 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12143 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:netbios-ssn ppp-54-25.32-151.iol.it:0 LISTENING
Looking at this, after Avast! is completely uninstalled, isn't it safe to theorize that you might have spy-ware or a virus?
I think it's important to let other Avast! users know about this. REGARDLESS if anyone know exactly what the point is, actually not regardless, ESPECIALLY, if no one knows what the problem is.
To prevent further bashful comments, I'm not putting Avast! down. It's a good anti-virus. It makes a poor anti-spyware though.
*All this are hypothesis based on logical deduction from about 12 different people, including staff from Avast!, technical support staff from my ISP, and other Internet gurus whom I know personally. So far 10 out of the 12 people think its a spy-ware/virus
-
Couple of things.
First it would probably help you a bit more if you installed a program that gives you a better view of your connections like the free TCPView available from Microsodt/Sysinternals.
You are not connecting to a website as such - you are connecting to an individual user at that site. That has all the hallmarks of someone using a P2P program where the person at the other other end is telling you to connect to them on well known ports such as port 25, port 119, port 80 etc. such usage is quite common in the P2P world. It so happens that avast scans activity on those well known ports because that it how it works to scan email, nntp and web browsing.
So - are you using a P2P program on your system?
-
Yes, but the program is seldom used. I've used it twice since formatting, and only to get 2 well know Unreal Tournament movies that I can't find elsewhere, ( not even on levitation-gaming). I've scanned everything that I've downloaded with Avast! before running anything, DivX, Ventrilo, mIRC, nnscript, peerguardian, firefox, filezilla, x-netstat, netstat agent. Those are the only programs I've downloaded. All have been scanned and passed through Avast!. I had just reformatted..
Thanks for sharing your opiniong alanrf, do you suggest I uninstall the p2p ?
I've looked into spyware removal tools and found Ghost Buster. I ran that and it found the trojan (a trojan is a virus right? why didn't avast catch it?) : Trojan.Win32.Patched.m
Ghost Buster is a Spyware removal tool but a Trojan is a virus to my knowledge, (if someone could clear that up if I'm wrong) but it wouldn't remove it since I only have the trial version. The path it found the trojan in was C:\Windows\system32\winlogin.exe
If you look at all the applications and DLL files it was listening with (My netstat -ab reports) winlogin.exe uses some of those files to function. It kind of all makes sense. I have a trojan, Avast didn't detect it, and all this energy spent on trying to find out why the heck someone is listening on my ports is at least validated.
One of you did the Netstat -ab and gave me your results. That was a clean Netstat right there, and that's how most pc's should be secure.
I've gone and and beyond with this, I've learned a lot too, and after more than 10 years of using microsoft products, I'm switching to Linux or Mac. I will try out both first to see which I prefer of course.
Microsoft sells you an operating system that is not finished. The product, is not finished. There's no muffler on your car, there's no roof on your house, and there's holes everywhere in your operating system when you run Windows. XP was most likely it's best operating system, WindowsME being the poorest (I'd rather run windows 3.1)
Why do you think you have hundreds of updates when you have windows?
Because they sell you something that's unfinished, but they have the courtesy to patch the things that THEY find. Imagine all the stuff they DON'T find.
After re-installing Windows XP, the first day I have 28 updates. The second, 90 updates. The third, 10 updates... I didn't count how many there were in total but apparently it's still going. It's not only security updates for your operating system, it's for other microsoft products such as IE and Explorer and registry fixes or what have you. These are serious holes and serious issues. If you want to run windows you need: A) A firewall, B) An anti-virus, C) A router if you can B) Spyware removal tools C) Registry Cleaner/fixer etc etc etc.
They sell you this crap for 300$ a CD (When the OS just came out, windows sold for 350$ a CD at futur shop).
Linux is FREE.
Do some research of how many people on linux have problems with viruses and trojans and spyware and malware and i-ware (heh). Do some research on how many people have problems with viruses and trojans and spyware and malware with Macintosh computers.
It took me 10 years to wake up and smell the freaking coffee. I've been up to date throughout all these years as much as I could with protecting myself while operating a Windows operating system, and I'll have none of it no more.
I've banged my head in walls and tried to protect myself for years, when I don't really have to. If I buy a mac, sure it's expensive, but they have the fastest processors, and they are the best when it comes to graphics, which is great for a gamer like me. I also get the friendly GUI that windows has, but without all it's holes. Or, I can try Linux, a FREE operating system with one freaking millionth of Windows' vulnerabilities, and have a more "raw" GUI, and have to do things more manually or through WINE.
Either way, I'm not sticking with microsoft. Good riddance.
-
AleKx, if avast is completely and correctly uninstalled, there should be no process running, no files left behind... nothing. What I see from your posts is that you're complaining about a bad uninstalled software.
Thanks to my router I think it's preventing it from phoning home.
avast does not phone home... something is infected in your computer.
-
Tech you're kidding right?
Again, had you read my post, the current update is yes, we all think I have a virus.
Your first post was, did you reboot after uninstalling? and you were behind on that one. Now we're at the part where we're all 99% sure I have a virus. Regardless of the outcome, I'm glad my concerns were not in vain. I appreciate all the intput from all of you guys. You wouldn't be taking the time to write if you didn't want to help.
Finding out where it came from is the least of my worries. I'd like to find out how to remove it. The trojans name is Trojan.Win32.Patched.m (Again, read my posts)
I've tried a few programs but they only seem to point out that I have this virus, they won't remove it like Avast! does with it's trial. But Avast! didn't detect it. Should I try AVG maybe?
-
This is an intreguing post. What P2P program do you use. Was it a freshdownload or from a backup after your reformat?
-
Tech you're kidding right?
No. I can't understand that a legit ashWebSv.exe or a legit ashMaiSv.exe files could be present in a computer without avast correctly uninstalled.
-
Your last two post gentlemen, are exactly what I've been trying to emphasize. I can't imagine either. But the Netstat -ab report is there. I'm not wasting my time on forums with false Netstat reports. The IP was there and using that Avast! .exe, and it remained there and listened to epmap, microsoft-ds, netbios-ssn, etc and other process, with the SAME IP, even after uninstalling.
I will mention one last time how I uninstalled.
Initially I did it through Control Panel Add/Remove Programs, which seems to have worked fine. I REBOOTED after uninstalling.
Then I did the netstat and found it was still there, just this time, not using Avast's Ashweb.exe or whatever the exe is called. But it was still listening. Same IP
Then I posted here and someone told me to run "aswclear.exe" - Avast!'s own uninstall program. Now, with basic experience, I've been taught that if somehow you've wrongly uninstalled a program, it's best to re-install it if you can, before doing the "proper" uninstall. So I did. I re-installed avast, but this time, I uninstalled Avast! with aswclear.exe. I then REBOOTED.
I did netstat and the connections were using again, multiple DLL files and alg.exe and what not.
The trojan is called Trojan.Win32.Patched.m
Avast! didn't catch it. Actually, according to netstat when Avast! was installed and running, the IP was attached to the files that Avast! used. (I could be completely wrong.)
The p2p program that I used was utorrent. I've been playing Unreal tournament and all it's latest versions, ut2k3, ut2k4, UT3, since UT99, I'm currently making a movie and I had downloaded a bunch of oldschool UT movies that I could only find through torrents. I've learned a long time ago to keep my programs as legit as possible.
Could anyone suggest a program that is free that could remove this particular trojan ?
-
Guys I don't think you have a virus or even spyware. It seems that when you have p2p software installed you are part of a network. This is what you are seeing. Avast won't flag it, because it's legit. Try uninstalling your p2p software and see if the traffic stops, remember also that infected software may use legit ISPs to cover their tracks and black listing the ISPs blocks the bad and the legit.
The following is from an article on About.com
A good definition of P2P software was proposed by Dave Winer of UserLand Software many years ago when P2P was first becoming mainstream. Dave suggests that P2P software applications include these seven key characteristics:
-the user interface runs outsides of a Web browser
-computers in the system can act as both clients and servers
-the software is easy to use and well-integrated
-the application includes tools to support users wanting to create content or add functionality
-the application makes connections with other users
-the application does something new or exciting
-the software supports "cross-network" protocols like SOAP or XML-RPC
-
I re-installed avast, but this time, I uninstalled Avast! with aswclear.exe. I then REBOOTED.
It is supposed to be run 'after' the Add/Remove programs and only if needed (i.e., Add/Remove fails).
The p2p program that I used was utorrent.
Has some issues with avast, I mean, avast with utorrent.
-
Tech I know how you might be thinking that I'm saying Avast is listening or trying to phone home with a Virus. Quite frankly, I don't fully understand your hypothesis even after reading it multiple times. But I do know one thing, I'm not saying Avast! is part of the problem, or trying to phone home. I'm trying to help you help me, I'm not trying to be against you. Like I said in like 3 posts, I appreciate people who take the time to help.
I think I have a virus that Avast didnt detect. And possible, since the virus used files like winlogon.exe (or winlogin.exe) and that application uses such files as kernel32.DLL etc and other multiple DLL's (It can take a few DLL's for one .exe) then isn't it possible that by by-passing avast, it's a root-kit trojan or something? Avast! obviously did not detect, another program did. It's recognised as a Trojan. The trojan used some files that Avast probly used as well to operate. That's probly why I saw the ip using ashweb.exe
Now the things I know are
A) I have a virus, it's called Trojan.Win32.Patched.m
B)Avast! didn't detect it.
C)It's highly likely that I got the virus from utorrent since I have only formatted 5 days ago.
D)If it is a network like you guys say, because that I have a P2P program installed, then it came with Trojan.Win32.Patched.m
E)I highly doubt that by uninstalling utorrent, that the Trojan will dissapear.
F)You guys are awesome for helping me. ;D
I'll uninstall UTorrent and REBOOT and run netstat again, see if the SAME ip is still there using the same processes and dll files.
Also Tech, you say that Avast has issues with UTorrent, but Avast! didn't detect anything when I ran UTorrent. It did detect something when I ran the OutPost Firewall though, I had to disable something. Funny that it would work for protection like a firewall, but not for a program proned to viruses like P2P UTorrent.
Let's put Rifkin's theory to the test: I'll uninstall the P2P, he says the connections will dissapear
(Is it me or do people not read my posts? I'm infected with a trojan, avast didn't detect it, you guys are giving me instructions on how to properly uninstall a program and telling me that if I uninstall the P2P the virus will go away and stop listening.)
-
Go ahead with what you are doing. Since you gave a name to the possible infection, I checked and one of the things it does is infect/replace winlogon.exe
So let's see what we can discover about your copy.
Please submit these files for analysis
To submit a file to virustotal, please click on this link
www.virustotal.com
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
c:\windows\systems32\winlogon.exe
scroll down a bit and click "send file", wait for the results and post then in your next reply.
-
To be honest the problem is solved. I simply need to find a spyware or anti-virus that will remove Trojan.Win32.Patched.m
Unfortunately I can't use my Avast! that I paid for (I bought it, I don't just use the free version), like all my other legit programs. I mention this because I see too many people cracking software and not buying the real versions. Hell you buy it once and it's yours and you don't have to worry about downloading full programs on malicious websites. You have the program, it's clean, you're good.
Sucks though, ironically enough I'll probly end up finding a free program that removes specifically Trojan.Win32.Patched.m
-
Ok oldman, I will try that. Thank you.
-
This is my report from following your instructions:
MD5: 01c3346c241652f43aed8e2149881bfe
Date: 03.31.2008 06:17:30 (CET) [>4D]
Results: 0/32
Permalink: analisis/ed6726c2dfa5cc59ed62fb2c333dd8ef (here's the link so you can view it: http://www.virustotal.com/analisis/ed6726c2dfa5cc59ed62fb2c333dd8ef )
from reading this, I'm assuming the MD5 is some type of identifier for winlogon.exe, the Date is self explanatory, and Results: show the number of infected files I assume?
Why then did Ghost Buster specifically detect c:\windows\system32\winlogin.exe as Trojan.Win32.Patched.m
?
I just figured out that the link you sent me used online scanners like nortan and symantec to scan a specific file, which is awesome. But then why would all these known anti-virus programs not detect it but Ghost Buster 5 will?
-
http://www.trojanwin32-patched-removal.com.removal-instructions.com/removeTrojanWin32Patched.html
The above link has manual removal and a special SpyHunter scanner download link. All free. Also some viruses, infect the antivirus first! So, they would detect it if they were not infected themselves. On-line virus scanners avoid this problem.
-
I uninstalled my P2P program UTorrent Rifkin, and I rebooted my pc. I also ran CCleaner and Registry Booster. I also cleaned my Temp files. I opened netstat and the same IP is still listening, still using netbios-ssn, epmap, microsoft-ds, and listening on specific ports.
-
Yes thank you Rifkin, I have already googled the Trojan name and found that link myself. I already have installed and tried SpyHunter. It detects nothing. Ghost Buster 5 does though, and it detects winlogon.exe specifically, COINCIDENTLY? using the same files that the IP constantly listening to my ports is listening with? I think not. Again, thank you Rifkin. ;)
......Wait I could be wrong, Instead of double posting I'll just modify the post, It says to do that in SAFE MODE, which I haven't done. So I'll do that first and I'll let you guys know.
A lot of you have been helping, again, you guys are kind, it is most welcome.
-
That scan would appear to be clean. Yes the md5 is a file identifier. The date is a little strange, as on virustotal's page it says "File winlogon.exe_ received on 03.31.2008 06:08:56 (CET)", it april 04 where I am.
And yes, you are correct for the results, no one detected anything. A false positve on Ghost Buster's part perhaps? Don't get me wrong, I'm not denying you have a problem.
Let me check some more.
added
Rifkin may be correct, an online scan might be the answer. Eset and kaspersky both have good detection rates. The difference is eset will remove, kav will only report.
If this i the route you take, I'd be very interested in the results. A bit of a hobby.
-
You may want to try Ad-aware free version. I often run an Ad-aware scan with Avast set to check all files on opening. As Ad-aware reads the files Avast! checks them and often finds viruses that are missed otherwise. Also Ad-aware can find and remove some virus itself. I also had one person's ISP provider was infected and every time the computer connected it got infected. I finally had to go off-line do a clean reinstall and install anti-virus and anti-spyware before allowing it to connect even for Microsoft.
-
AleKx
Did Ghost Buster's scan also detect this file C:\WINDOWS\system32\dllcache\winlogon.exe ? It's a backup copy of the file. These bugs mutate, so it's possible that it's slipped past the avs and GB is the first out of the block with the detection.
-
No, it only detected the virus in c:\windows\system32\winlogon.exe
I'm currently in Safe-Mode with Networking.
I figured out how to know exactly which exe the file is listening to. When you do Netstat -ab, it associates a PID to the connection. You can then CTRL+ALT+DELTE, go to view: show PID's, that way your Task manager will show the PID's. The files are: image name svchost.exe (Network service PID 864) , image name winlogon.exe, svchost.exe (Network service PID 728) and image name System (System PID 4)
Here are some of the DLL files in use that THE IP LISTENING ON MY PORTS ALSO USES.
Protocol: TCP Local Adress: box:epmap Foreign Adress:ppp-54-25.32-151.iol.it:0 State:Listening PID:728
RPCRT4.DLL
WS2_32.DLL
svchost.exe
(unknown components)
svchost.exe
epmap is just one of them. It also uses netbios-ssn, and microsoft-ds and a few others.
PS: "box" is the name of my computer.
-
I have a solution, screw microsoft, and yay linux or mac. I've been a windows user for 10 years and I'm fedup with all the protection needed, antiviruses, anti-malware, anti-spyware, anti-trojans, anti-worms, etc etc. Even after investing in legitimate copies of the programs I use(I wasn't always an angel but I learned) I still get viruses, even when running Avast or having a router. I can't be arsed to hop from one anti-virus to the other because one program won't fix them all because microsoft sells us an unfinished product, hence the 150 security updates I had to do 4 days ago after re-installing windows.
I'm done with it, done. Windows is going in the garbage. I'm probly going to run Mac since Linux is a lot of manual stuff. Besides, Mac's have the fastest processors and best GFX, oh, and no viruses, or virtually none. A lot better than 10 years of microsoft's bs that's for sure.
Thank you to everyone who helped. But I've found a solution to my problem. Instead of finding a solution to get rid of the viruses, I'll get rid of the thing that hosts them, the operating system itself.
-
If that's your solution, then so be it. ;D I understand your frustration.
BTW did Rifkin's suggestion work?
-
Negative, I have uninstalled UTorrent, rebooted and the IP is still listening. ???
-
If you are interested, we can try a scan tool or two an see if we can see anything amiss.
You could also check C:\WINDOWS\system32\dllcache for winlogon.exe and check the file info in it's properites.
-
If your copy of UTorrent was infected, uninstalling it would not remove the virus (it had already infected other files). It turns out Avast has it's own online virus scanner, it is single file scanner, so you can have it scan winlogon.exe directly. It's http://onlinescan.avast.com.
Here are a few links I use to check for Internet security.
http://www.doxdesk.com/parasite/ (Parasite Detector)
https://www.grc.com/x/ne.dll?bh0bkyd2 (Shields UP! — Internet Vulnerability Profiling)
http://www.grc.com/lt/leaktest.htm (GRC LeakTest -- Firewall Leakage Tester)
http://bcheck.scanit.be/bcheck/ (Browser Security Test)
http://www.hashemian.com/tools/whoami.php (Whoami - My IP Address, Browser info, DNS Lookup)