Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think someone is spying on me: ports have SubSeven, BioNet, etc. What do I do?


  • Please log in to reply
10 replies to this topic

#1 Renzo12

Renzo12

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 22 June 2009 - 06:43 PM

Strange but true: for the past several months, I've had a lot of issues getting emails sent, personal communication misappropriated, and possibly someone contacting people on my email list with libelous information. It's led me to believe someone might be taking screen captures or otherwise gaining access to my online activities.

Today I ran a PCFlank.com scan of "open ports." It told me I had the following Trojans: SubSeven, Masters Paradise and Ringzero, NetBus, BioNet, and Back Orifice. Flank said all were "stealthed" and shouldn't be a problem, but I'm not so sure.

Bought the full version of Spyware Doctor and ran it today, but the flank scan turned up the same notices. I had a bad bout with spyware a year or so ago, and I'm fearful remnants have remained, something new got in, or I'm getting f-cked with. Can anyone help?

BC AdBot (Login to Remove)

 


m

#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:55 PM

Posted 22 June 2009 - 09:08 PM

Hello Renzo12,

let's see if we can dig anything up.



Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Renzo12

Renzo12
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 23 June 2009 - 05:45 PM

Done. Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/22/2009 at 06:02 PM

Application Version : 4.26.1004

Core Rules Database Version : 3951
Trace Rules Database Version: 1893

Scan type : Complete Scan
Total Scan Time : 01:14:11

Memory items scanned : 232
Memory threats detected : 0
Registry items scanned : 5975
Registry threats detected : 5
File items scanned : 62484
File threats detected : 0

Rogue.Component/Trace
HKLM\Software\Microsoft\A48F5F22
HKLM\Software\Microsoft\A48F5F22#a48f5f22
HKLM\Software\Microsoft\A48F5F22#Version
HKLM\Software\Microsoft\A48F5F22#a48ff2a2
HKLM\Software\Microsoft\A48F5F22#a48f9b47

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:55 PM

Posted 23 June 2009 - 05:58 PM

Hello Renzo12,

SUPERAntiSpyware didn't turn up anything worrisome, just what appear to be some remnants of a past infection. I don't think there's anything going on that you should be concerned about.

Rereading your initial post, I think you may have misunderstood the purpose of the PCFlank scan you ran. An open port is not necessarily a sign of being infected. It is merely saying that your machine is currently configured to send and receive information through a particular port. Certain programs by default use certain ports to communicate with the Internet. What the scan probably actually told you was that the ports normally used by the programs you listed were "open", not that you were infected with said programs.

Anyway, I can maybe offer some help in how to increase your level of protection. What Antivirus, and what Firewall are you currently using?

If you still believe that you're infected, I'll be happy to refer you to the Malware Forum where someone can take a much more thorough look at your computer.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Renzo12

Renzo12
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 23 June 2009 - 06:02 PM

Blade,

Thank you. Couple things that probably bear mentioning:

- I recall getting a "Your Firewall is not turned on" message during Windows boot fairly frequently, but when I went to My Controls to check, it said it was turned on. Very odd.

- Firewall is just standard Windows. Running PandaCloud as an antivirus.

- I ran Malware Bytes last night. I wonder if that may have not caught an infection that was then eliminated. Log is below:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/21/2009 11:22:49 PM
mbam-log-2009-06-21 (23-22-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 166594
Time elapsed: 2 hour(s), 18 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\MSINET.oca.vir (Rogue.Trace) -> Quarantined and deleted successfully.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:55 PM

Posted 23 June 2009 - 07:59 PM

I highly recommend that you install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (remember to uncheck Install Comodo Antivirus) or Kerio
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

As for the Malwarebytes scan, could you please update Malwarebytes and then run a quick scan? Please then post the log back here for my review. I still don't see anything to be worried about, I just want to double check something. :thumbsup:

In your next reply, please include the following:
Malwarebytes log

Edited by Blade Zephon, 23 June 2009 - 08:00 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Renzo12

Renzo12
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 23 June 2009 - 08:23 PM

I downloaded and activated Comono. Should I turn the generic Windows Firewall off?

Tried to update MalwareBytes, but it gave me an error code 732. Log is below:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

6/22/2009 9:22:15 PM
mbam-log-2009-06-22 (21-22-15).txt

Scan type: Quick Scan
Objects scanned: 90982
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Renzo12

Renzo12
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 23 June 2009 - 08:25 PM

Also: Comodo is noting that my BitTorrent software is sending information, but the software is not open. I don't know if that's normal or not.

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:55 PM

Posted 23 June 2009 - 08:35 PM

The log looks good!

As for updating Malwarebytes goes, make sure Comodo is set to allow mbam.exe to connect to the Internet. That is usually the source of the problem causing Error 732.

~Blade

Edited by Blade Zephon, 23 June 2009 - 08:36 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Renzo12

Renzo12
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 23 June 2009 - 08:37 PM

Thank you, Blade. Help very much appreciated.

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:55 PM

Posted 23 June 2009 - 08:41 PM

well. . . torrent software and other P2P apps are an easy way to get infections on your system

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




EDIT: Haha it seems you are one step ahead of me. It was my pleasure, glad I could help :thumbsup:

Edited by Blade Zephon, 23 June 2009 - 08:42 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users