Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Q. about suspicious activity, Cyberghost virus?


  • Please log in to reply
8 replies to this topic

#1 Hellraiser666

Hellraiser666

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 25 October 2014 - 01:21 PM

Hello,

 

I'm confused about something and hoping someone in here can clear it up. About a year ago I downloaded and used the Cyberghost VPN.  After six months I got bored with it and uninstalled it.  About  a week ago I downloaded from Bleeping that Glasswire program.  Since I'm not overly knowledgeable about computing I tend not to fully understand many of these programs, including this one.  Anyway, Glasswire seems to indicate that Cyberghost.com servers in Germany and Romania are doing a lot of communicating with my computer, some files as big as 2 mb.  And I'm trying to come up with any good reason why this should be.  Nothing I seem to be doing seems to offer any rational explanation why they would need to communication so often--at all, really--with my computer.

 

Anyway, very quickly, I went into my firewall (Which I rarely do) and found something called "Check point VPN," and I'm wondering if that isn't something they installed and are still using for their own, possibly nefarius, reasons.  So I disallowed that item, and hopefully it will do the trick.  There's another vpn item, "f5 vpn," but that seems like something l might need, I'm not sure.  I really don't know what the heck I'm doing.  So, can anyone tell me why Cyberghost is taping my computer? and what I should do, if anything.

 

I should add, I have run about 6 different anti-maleware, including MB antiroot, and got zilch infections. So that gave me no clues.


Edited by Hellraiser666, 25 October 2014 - 03:46 PM.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 25 October 2014 - 04:49 PM

You mention Check Point VPN and F5 VPN.

 

Is this something you found in the inbound and outbound firewall rules? More precisely rules named CheckPoint.vpn and f5.vpn.client?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Hellraiser666

Hellraiser666
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 25 October 2014 - 06:04 PM

You mention Check Point VPN and F5 VPN.

 

Is this something you found in the inbound and outbound firewall rules? More precisely rules named CheckPoint.vpn and f5.vpn.client?

 

Yes, they're in both inbound and outbound, private and domain, any program, and activated.  Don't know if they are supposed to be there or if they were added later because of some download, like Cyrberghost, for example.  It's just suspicious that Cyberghost.com is communicating with my computer because none of my activity accounts for it.  I block third party cookies on Firefox, I use Ghostery to block crap, I have the "flag" add on that tells me which servers my browser is calling up, never has it been Cyberghost's servers.  But then I check Glasswire and it says an app has communicated with Cyberghost.com, usually Romania or Germany, as a Host Process for Windows Services.  Problem is I don't know much, so this could be nothing at all to worry about.  I'm more curious than anything. Am I wrong in my puzzlement with this?



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 25 October 2014 - 06:22 PM

These rules are not in Windows 7 Firewall by default, but they are on my PC too. I guess these rules are created when you created VPN connections (I use another VPN provider than you).

This seems normal to me, as Check Point and F5 offer corporate VPN solutions.

 

No, it is not normal that you still see activity to Cyberghost when you have uninstalled it. As the "Host Process for Windows Services" is reported as the origin of these connections, check your list of Windows Services for anything related to Cyberghost or VPN.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Hellraiser666

Hellraiser666
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 25 October 2014 - 07:05 PM

These rules are not in Windows 7 Firewall by default, but they are on my PC too. I guess these rules are created when you created VPN connections (I use another VPN provider than you).

This seems normal to me, as Check Point and F5 offer corporate VPN solutions.

 

No, it is not normal that you still see activity to Cyberghost when you have uninstalled it. As the "Host Process for Windows Services" is reported as the origin of these connections, check your list of Windows Services for anything related to Cyberghost or VPN.

 

Okay, I scoured Autoruns and didn't see anything, except "Open VPN Project," but I Googled it and it seems to check out okay, especially since it dates to the day I bought the computer.  So, I don't know.  I'm not going to stress over this issue, but it bugs me not knowing. Even with my limited knowledge it seems that the best explanation of course is that there's something in my system initiating this communication, but I can't imagine why.  If you think of something please let me know.  Otherwise I'll just keep an eye on things.  Doesn't seem to be hurting my laptop in any way, but I don't like the idea of someone working a back door on my computer, they could do anything.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 25 October 2014 - 07:20 PM

If you have OpenVPN running as a service, then it certainly can be the service that connects to Cyberghost.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Hellraiser666

Hellraiser666
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 25 October 2014 - 07:39 PM

If you have OpenVPN running as a service, then it certainly can be the service that connects to Cyberghost.

 

You may be right.  I just realized the date on that VPN is from about the time I downloaded that Cyberghost.  I'd looked at the wrong date the first time.  I think I'll go into Autoruns and disconnect that sucker.  Cyberghost communications were supposed to be secure so this VPN driver seems to offer the best explanation, it might be the link in the chain that kills this thing.  I'll give it a try.  Thanks.  If I discover anything interesting I'll get back to ya.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 25 October 2014 - 07:52 PM

You're welcome.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Hellraiser666

Hellraiser666
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 04 November 2014 - 11:17 AM

Hello,

 

I thought I'd add one final interesting note about this issue.  Remember, I'd started using Glasswire recently and was noticing some unexplained communication from Cyberghost.com as a SVCHOST process months after I'd uninstalled their sofware from my computer.  This made no sense to me on any level.  After many clean security scans I decided to email my concerns to Cyberghost.  They responded in two days, and in part said, "It does sound like some component still remained on your computer but it's really unclear what exactly happened. If you could provide us with more details, we could help out."  I never did take the time to get back to them.  But interestingly, now when I run Glasswire there is not even a hint of their presence as before--Nothing, and I have made no mentionable changes on my computer that might account for it.  That certainly is an interesting coincidence.  Now I'm not suggesting here that they were doing anything innapropriate at all.  And since I'm not overly knowledgeable about the technical aspects of computing there may have been a rather simple explanation, perhaps I uninstalled incorrectly, though that still wouldn't explain why it stopped on its own months later.  This issue seemed to possess just enough technical value to share.  Hope I didn't bore you to tears with it.  :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users