1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

iad1 on TCP 1030

Discussion in 'Virus & Other Malware Removal' started by nmorrisonaz, Jun 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. nmorrisonaz

    nmorrisonaz Thread Starter

    Joined:
    Jun 8, 2004
    Messages:
    5
    One of our users just lost control of her PC. Someone remotely took control of her mouse. The only unusual activity we have seen thus far is Port 1030 called iad1. Has anyone seen this?
     
  2. rtty

    rtty

    Joined:
    May 11, 2003
    Messages:
    294
    Hi nmorrisonaz,

    Not sure If any malware can do that.

    But please do this. Click here to download Hijack This. Run Hijackthis.
    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  3. nmorrisonaz

    nmorrisonaz Thread Starter

    Joined:
    Jun 8, 2004
    Messages:
    5
    Logfile of HijackThis v1.97.7
    Scan saved at 2:24:50 PM, on 6/11/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    C:\WINNT\System32\PGPsdkServ.exe
    C:\PROGRA~1\Novadigm\RADEXECD.exe
    C:\PROGRA~1\Novadigm\RADSCHED.exe
    C:\PROGRA~1\Novadigm\RADSTGMS.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\FileNET\IDM\fnsysmgr.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\Program Files\Old Office\Office\OSA.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\WINNT\system32\mmc.exe
    C:\WINNT\system32\taskmgr.exe
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pbsc.bechtel.com/pbsc/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Timberline Software
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 147.1.23.193:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 147.1.*.*;*becweb.ibechtel.com;*.ibechtel.com;ess.bechtel.com;aces.bechtel.com;pbsc.bechtel.com;localhost;192.233.76.*;140.244.2.36;140.244.2.39;207.240.202.83;204.74.68.*;207.240.240.*;207.240.29.*;64.78.148.140;<local>
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\FileNET\IDM\fnsysmgr.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Old Office\Office\OSA.EXE
    O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .ext: C:\Program Files\Internet Explorer\PLUGINS\npradia.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {020f6116-407b-11d3-a3bb-00c04fa32518} - http://147.1.248.24:8020/oa/jinit11718.exe
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://phxs9026.becweb.ibechtel.com:8106/jinitiator/oajinit.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.4103125
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amers.ibechtel.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amers.ibechtel.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amers.ibechtel.com
     
  4. nmorrisonaz

    nmorrisonaz Thread Starter

    Joined:
    Jun 8, 2004
    Messages:
    5
    Well the whole group looks a bit silly. We were checking Firewall logs, scanning the ports, checking event viewer, etc. After two hours we have finally identified the problem.

    Her wireless keyboard and mouse were intercepting signals from other wireless mice. Slapped on the corded variety and now she is off and running. "Reading" her email and launching several Internet Explorer windows was just a fluke.

    Thanks!
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/238047

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice