1. Join Now

    AVForums.com uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Virus and / or security problem...

Discussion in 'Desktop & Laptop Computers Forum' started by janmars, Oct 9, 2004.

  1. janmars

    janmars
    Standard Member

    Joined:
    May 4, 2003
    Messages:
    162
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +2
    I am using a java based client to upload and download files from my PC. However, I have noticed on Sygate that whilst it is showing traffic for java going in and out...it is also showing a lot of incoming traffic for a program called NDIS.

    I know this application is a part of windows but where is all the traffic coming from? (There is no outgoing traffic incidently). Also the "Application Layer Gateway" keeps attempting to make FTP connections with a remote address. Could this be a trojan issue?

    I have run my Virus scanner (Nod32) as well as TrendMicros "Housecall". The housecall found some infected files, so I used it to delete those files. (They were internet files in the Internet Temp. folder). Nod32 had mentioned these infections and I thought it had removed them.

    However after removing the infected files, the PC comes up clean on all scans. But can my PC still be infected?

    Also...whilst this java based client is running...even if it isn't using my entire bandwidth, the Internet connection runs like a pig.

    Anyone able to offer help?

    EDIT: I just terminated the java application within Sygate...and in the logs it now reads "Application, %1 has been terminated".

    I am getting a bit confused now...

    For the moment, I have blocked both Java and NDIS till I get some info...
     
  2. Hawklord

    Hawklord
    Well-known Member

    Joined:
    Feb 15, 2003
    Messages:
    3,424
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    106
    Location:
    Aldershot, Hampshire
    Ratings:
    +257
    I'd recomend downloading lavasofts ad-aware SE and spybot search and destroy to find and remove any spyware and other parasites. They are both free to use the basic functions which do a good job of purging your system of unwanted crap.
    I do not know anything about NDIS maybe a google will turn something up:)
     
  3. KraGorn

    KraGorn
    Active Member

    Joined:
    Aug 30, 2003
    Messages:
    4,740
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    68
    Location:
    Warrington
    Ratings:
    +27
    That FTP activity sounds VERY suspicious.

    NDIS is usually an acronym associated with networking, as in 'NDIS drivers', not sure what you mean about inbound activity for a program called NDIS but I'm assuming it's an attempt to connect to a port or something. However, NDIS is different from TCP/IP so I'm not sure I'm on the right track with this one.

    If it's only inbound then the firewall's blocking it like it should and it's of no concern. IMHO firewall logging can cause paranoia very easily, I never turn on logging of inbound 'attacks', if the firewall blocked it nothing happened. :)

    I also don't understand what you mean about 'java activity', Java is a programming language and runtime system, I guess it means there's a program written in java doing internet accesses .. does the firewall log indicate what port it's running on or any other information.

    You almost certainly have something nasty on your machine, between them AdAware and Spybot should find it, though there are some trojans around from time to time that neither spot.

    Spybot's home is here, the free version of AdAware can be found here.
     
  4. janmars

    janmars
    Standard Member

    Joined:
    May 4, 2003
    Messages:
    162
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +2
    The Java client is Azureus the Bittorrent client, (I didn't mention it because the above text I copy and pasted from my post on another forums that "doesn't allow" discussion of P2P. Though I never got an answer from there...and usually don't get much of a decent reply nowadays)...anyway, thanks for the replies here.

    I have opened ports 6881 through 6889 on my router to allow Bittorrent to work correctly. The Java activity is due to Bittorent. However I am unsure why this uses NDIS.

    The most important issue though I have is that after I close Azureus, the java and NDIS activity continue. I have exactly the same issue with eMule...which continues to transmit and recieve even after it has been closed.

    I have closed all the ports on the router now...and the suspicious activity stopped. Still makes me wonder what is going on though...

    Also, I have ran both Adaware and SpyBot, and aside from a few tracking cookies there was nothing found.
     
  5. KraGorn

    KraGorn
    Active Member

    Joined:
    Aug 30, 2003
    Messages:
    4,740
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    68
    Location:
    Warrington
    Ratings:
    +27
    Can't help with the P2P stuff I'm afraid, I don't use it.

    If AdAware and Spybot failed to find anything it's not 100% certain the PC's clean but it'll have to do I guess. Do you know the port the activity in on once you've closed your P2P client? You mentioned FTP, so presumably that was using port 21, is that still the case?

    You may want to try installing the freeware version of ZoneAlarm, though I'm not sure if that blocks outbounds or not, but that's the sort of functionality you'll need to track down the culprit.
     
  6. janmars

    janmars
    Standard Member

    Joined:
    May 4, 2003
    Messages:
    162
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +2
    Yes, the ftp request is for port 21, and the IP address backtraces to somewhere in Amsterdam.

    I am starting to think that a re-install is going to have to be the answer...
     
  7. jj_

    jj_
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    i have the same problem but it is a windows process so i have allowed it to ftp though there is not enough data being sent/received that has aroused my suspicion. Also ndis is another windows process and it also sends out and recieves a large amount of data. I also use sygate, theres no point in formatting and clean installing your OS. Just terminate javaaw.exe in task manager after youve using azureus, this should resolve the data being sent/receieved after closing azureus. Also dont worry if you have data requests after this process has been terminated, its most likely clients that still have your ip in their cache. Also i wouldnt advise using zone alarm as it has a bunch of known issues with xp and other windows os's including freezing of downloads
     

Share This Page

Loading...