Greetings.
I formatted my C: drive 3 days ago and re-installed Windows XP. I’m also behind a router, and I run Avast!. Not two hours after the fresh installation, I checked the status of netstat and found one address constantly listening to certain ports. At first I thought it was normal, considering Avast! has a Network Shield and Web Shield and an Email shield etc… But then I uninstalled Avast!, to see if the listening host would leave, expecting it too, if indeed that IP is used by Avast! to run the Shields or whatever, but no. Even after uninstalling Avast! completely, (Also cleaning my cache’s and temp files) the host was still listening. This got me more then intrigued. There’s also the fact that it was the same IP.
I did a Network Lookup on the host/IP with http://network-tools.com/ for the IP that was listening. Here’s what I got.
I also want to mention that I have a DSL modem, and I tried changing my IP by resetting the modem (which worked), but the IP was still listening…
IP address: 151.32.25.54 Host name: ppp-54-25.32-151.iol.it
Then, I googled the IP itself (151.32.25.54) and there’s only one query reply. It’s a website with a blacklist, containing IP addresses. Guess which IP is on the blacklist, 151.32.25.54 - Try it yourself, open up a browser, and google the IP: “151.32.25.54”.
At this point my worries aren’t lessening in any way. I downloaded X-Netstat, and the program would detect EVERY connection but that one. I then tried NetStat Agent, the program would also detect EVERY connection but that one, 151.32.25.54.
The IP is listening on very sensitive ports, which are very common for worms or trojans. One of them is a very well know virus called Blaster, and coindently, the IP is using the same port many trojans would use, and the IP is also using processes, which was even scarier. Here’s what I found in Netstat -ab (to find out the PID and process the connection is or might be using).
Microsoft(R) Windows DOS (C)Copyright Microsoft Corp 1990-2001.C:\DOCUME~1\ADMINI~1>netstat -ab
Active Connections
Proto Local Address Foreign Address State PID
TCP box:epmap ppp-54-25.32-151.iol.it:0 LISTENING 808
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
– unknown component(s) –
[svchost.exe]TCP box:microsoft-ds ppp-54-25.32-151.iol.it:0 LISTENING 4
[System]TCP box:2869 ppp-54-25.32-151.iol.it:0 LISTENING 1088
C:\WINDOWS\System32\httpapi.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]TCP box:1026 ppp-54-25.32-151.iol.it:0 LISTENING 1700
[alg.exe]TCP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]TCP box:12080 ppp-54-25.32-151.iol.it:0 LISTENING 1104
[ashWebSv.exe]TCP box:12110 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]TCP box:12119 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]TCP box:12143 ppp-54-25.32-151.iol.it:0 LISTENING 480
[ashMaiSv.exe]TCP box:netbios-ssn ppp-54-25.32-151.iol.it:0 LISTENING 4
[System]
Here is the result of Netstat -a after Uninstalling Avast!
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\Administrator>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP box:epmap ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:microsoft-ds ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:2869 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:1026 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:1046 localhost:1045 TIME_WAIT
TCP box:12025 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12080 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12110 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12119 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:12143 ppp-54-25.32-151.iol.it:0 LISTENING
TCP box:netbios-ssn ppp-54-25.32-151.iol.it:0 LISTENING
The connections are still there. Notice that it’s listening on port 0, and that it’s also listening on the netbios.
That being said, I would appreciate greatly if someone could shed some light on this for me. I’m here thinking it’s a virus, but then if it is, why isn’t Avast! catching it? But then again, if it was a virus, why would Avast! use it?
And if it isn’t a virus, and it is from Avast!, why is it still there after I Uninstall?
Notice that the host-name starts with “ppp” - meaning it’s either a dial-up or DSL modem. Why would a company such as Avast! use “possibly” dial-up or DSL modems? Wouldn’t they use oc12’s or at least a T1/T3 ?
I’m utterly confused even after doing a vast amount of research on every single piece of information I could gather. I don’t expect all my questions to be answered - but if anyone could answer me this one: Why does Avast! use the ip and listen in on my ports when installed, and why does it still do it after I have uninstalled?
Thank you for taking the time to read, any help is greatly appreciated!