Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacker remote control PC?


  • Please log in to reply
5 replies to this topic

#1 letsridenow

letsridenow

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 24 December 2010 - 09:00 PM

Attached File  tcpviewlog.txt   3.09KB   9 downloadsHi, new to the forum. Woke up this morning (4am dog walk) and found my computer with my Family Lawyer software running and wordpad running. In my sleepiness, I figured that the enter key must have been depressed on the desktop and it opened it or my wife was nosing around. No biggie. Later in the day, I opened firefox to google a recipe for xmas eve dinner then walked away. A couple of hours later, I sit down at the pc and at the same search page for the recipes, I notice a strange email address logged in to the google site such as sg****@gmail.com. I ask wife and sitter and everyone else and no one touched the pc. So, I disconnected from net and ran malwarbytes and norton with only cookies found. No other problems. However, yesterday, I installed ifranview to open a picture that was used with a mac. Could I have installed a hacked version of ifranview on my pc which opened it to some slime ball in another country? The thing that does not make sense to me...someone goes thru all the trouble hack a pc, search and find family lawyer and open it to see what I am worth and all that, then he uses my browser to login to a gmail account? Doesn't make sense to me. Unless he put some silent smtp program on to send out spam through a gmail account and windows still had it logged in? Any one have ideas? Would love to be able to run a scan to make sure all clean, otherwise, I'll just nuke, reformat, and reinstall.
I like knowing answers and that's why I'm here, cause I am out of my element. Thanks in advance.
James

Edited by letsridenow, 25 December 2010 - 12:55 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 28 December 2010 - 11:04 AM

The TCPView log looks clean. I agree it does not make sense. My guess is the programs were opened by accident. It happens all the time. Someone puts something on the keyboard and boom, programs launch.

Are you positive the sg***@ account does not belogn to someone who may have access to the computer?

Also what AV scan did you use?

#3 letsridenow

letsridenow
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 28 December 2010 - 11:28 AM

I am extremely positive that no one else had access. I did a scan at Shields Up at GRC.com and it found port 81 open which has been used by RemoConChubo with aliases:
[Kaspersky] Backdoor.Chubo
[Eset] Win32/Chubo.A trojan
[F-Prot] security risk or a "backdoor" program
[Panda] Bck/Chubo
[Computer Associates] Backdoor/Chubo

I used Malwarebytes and Norton Antivirus both updated to latest program and databases.
I don't think that the buttons were pressed by mistake as they are not on my desktop, I thought that at the time (half asleep). Also, my display settings were changed to 1280 x 720 down from 1280 x 1024 which gave a large 2 inch bar on top and bottom of viewable screen (24" monitor).
I appreciate your help. Is there anything you can suggest to probe a little deeper to see?
Thanks,
James

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 28 December 2010 - 06:15 PM

Here are your listening ports, which are what you are concerned with when it comes to backdoors. They all look good:

airprint.exe 631 - This program is supposed to listen on a port
alg.exe 1046 - normal
AppleMobileDeviceService.exe 27015 - Normal
ccSvcHst.exe 1053 - Symantec
Dropbox.exe 17500 - Normal
jqs.exe 5152 - part of java normal
mDNSResponder.exe 5354 - normal
rpcapd.exe 2002 - Normal if you intentionally installed a program that requires winpcap. This is a remote packet capture port. Did you install a sniffer?
svchost.exe 135 - Windows port
System 139 - Windows port
System 445 - Windows Port

Now grc.com states that you have port 81 open. I dont see that port listed in the tcpview list. Are you portfowarding that port on your router to an internal port?

Is your router using remote administration on port 81?

#5 letsridenow

letsridenow
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 28 December 2010 - 08:09 PM

OMG you rock. I completely forgot about setting up an old internet camera on port 81 which is shut down. I will close that port now on the router, thank you! And yes, I installed Ipscan to check the device ip's on my network.
However, still perplexed about the "user id" at the google page. It's still there, (left it on purpose and disconnected from internet).
Any program that would be the perfect tool that can tell me if I'm "clean"?
Thanks for solving the port 81 mystery!

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 29 December 2010 - 12:08 AM

If its a back door then running a few av scans should pick something up.

If its a hacker, then they would have needed access somehow. You seem technically savvy, so check your services for ones that dont appear right or startup programs that shouldn't be there.

As for the email, with you logged in can you access gmail or other google accounts?
If you are logged in already you can go here to see if you can determine more info:

https://www.google.com/accounts/ManageAccount




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users