Am I Hacked ? or monitored?

200.49.21.14 resides in Chile
http://www.dnsstuff.com/tools/ipall.ch?%26ip%3D200.49.21.14

83.8.78.79 resides in Poland
http://www.dnsstuff.com/tools/ipall.ch?%26ip%3D83.8.78.79

Zone Alarm has been known to throw false speculations. Now if you are in chat rooms there are probably going to be people from all over the world in the room as well. This being where the out of country IP's are coming from. If you are talking to them a connection was made, which would show up in the netstat results.

AVG sometimes gets picked up by other spyware programs as being a known spyware application. If I were you, I would recommend you use somethign other than ZoneAlarm and AVG. I don't really recommend software to people to purchase, simply because there are many free programs out there that can do just as good. Such as Spybot Seach & Destroy.

But, in your case; i would recommend that you spend a few buck and purchase PC Tools Spyware Doctor & Anti-Virus software. You can get it from www.pctools.com for $39.99 for the bundled price.

I'm assuming that you paid for the ZoneAlarm and AVG software. If you did then I would suggest you count it as a loss and get a better program that is a bit more reliable such as the PCTools or McAfee or Nortons Internet Security.

Also, if you are still worried; contact your ISP and request that they change your IP address. They will want to know why, so be prepared to explain to them that you think someone has obtained your IP address and has been using it to monitor your activity. For the time being increase the level of security on your current firewall application.

Hope that helps.  

one more thing; you might want to change your NIC, doing that will give your computer a different MAC address.

Thank you for your Information FOTC..

I already have Spyware doctor, the version is 4.6 and updated.
I have Spybot Seach & Destroy updated too and scanned but no results, I also downloaded Scanspyware from PC Security Center, and scanned my pc with and lots of anti spyware, everyone gave me different spyware detections of mostly medium risk level, I have cleaned all of them, and btw while i was doing the netstat i was not chatting to anyone but it gaves me like 20 or 25 established connections.. Im pasting netstat -a result here for you to analyse.

--------------------------------------------

D:\DOCUME~1\Moh10ly>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    home:epmap             home:0                 LISTENING
  TCP    home:microsoft-ds      home:0                 LISTENING
  TCP    home:2869              home:0                 LISTENING
  TCP    home:gds_db            home:0                 LISTENING
  TCP    home:5051              home:0                 LISTENING
  TCP    home:5101              home:0                 LISTENING
  TCP    home:netbios-ssn       home:0                 LISTENING
  TCP    home:1093              mg-in-f125.google.com:5222  ESTABLISHED
  TCP    home:1099              cs51.msg.dcn.yahoo.com:5050  ESTABLISHE
  TCP    home:1105              sip20.voice.re2.yahoo.com:https  ESTABL
  TCP    home:1126              a195.22.198-72.deploy.akamaitechnologie
p  ESTABLISHED
  TCP    home:1127              a195.22.198-85.deploy.akamaitechnologie
p  ESTABLISHED
  TCP    home:1128              bs1.ads.vip.ukl.yahoo.com:http  TIME_WA
  TCP    home:1027              home:0                 LISTENING
  TCP    home:12025             home:0                 LISTENING
  TCP    home:12080             home:0                 LISTENING
  TCP    home:12110             home:0                 LISTENING
  TCP    home:12119             home:0                 LISTENING
  TCP    home:12143             home:0                 LISTENING
  TCP    home:netbios-ssn       home:0                 LISTENING
  TCP    home:2096              home.mshome.net:2869   TIME_WAIT
  TCP    home:13565             home.mshome.net:2869   TIME_WAIT
  TCP    home:31548             home.mshome.net:2869   TIME_WAIT
  TCP    home:37586             home.mshome.net:2869   TIME_WAIT
  TCP    home:58544             home.mshome.net:2869   TIME_WAIT
  TCP    home:58866             home.mshome.net:2869   TIME_WAIT
  UDP    home:microsoft-ds      *:*
  UDP    home:isakmp            *:*
  UDP    home:1052              *:*
  UDP    home:1077              *:*
  UDP    home:1645              *:*
  UDP    home:2568              *:*
  UDP    home:4089              *:*
  UDP    home:4500              *:*
  UDP    home:4969              *:*
  UDP    home:4970              *:*
  UDP    home:4971              *:*
  UDP    home:4972              *:*
  UDP    home:4973              *:*
  UDP    home:5051              *:*
  UDP    home:ntp               *:*
  UDP    home:netbios-ns        *:*
  UDP    home:netbios-dgm       *:*
  UDP    home:1111              *:*
  UDP    home:1112              *:*
  UDP    home:1900              *:*
  UDP    home:8000              *:*
  UDP    home:56963             *:*
  UDP    home:ntp               *:*
  UDP    home:1646              *:*
  UDP    home:1900              *:*
  UDP    home:4011              *:*
  UDP    home:4090              *:*
  UDP    home:4660              *:*
  UDP    home:4875              *:*
  UDP    home:domain            *:*
  UDP    home:bootps            *:*
  UDP    home:bootpc            *:*
  UDP    home:ntp               *:*
  UDP    home:netbios-ns        *:*
  UDP    home:netbios-dgm       *:*
  UDP    home:1900              *:*
  UDP    home:3898              *:*
  UDP    home:14036             *:*

----------------

Now im wondering what is this connection?
a195.22.198-85.deploy.akamaitechnologie
I have used Whois to capture the location and some information of what is this but never knew for who it belongs and if its an ad-ware on my pc????

a195.22.198-72.deploy.akamaitechonlogies.com

Akamai Technologies, Inc.
 8 Cambridge Center
 Cambridge, MA 02142
 US

 Domain name: AKAMAITECHNOLOGIES.COM

 Administrative Contact:
    Hostmaster, Akamai  hostmaster-billing@akamai.com
    8 Cambridge Center
    Cambridge, MA 02142
    US
    +1.6174443000    Fax: +1.6174443001

 Technical Contact:
    Hostmaster, Akamai  hostmaster-billing@akamai.com
    8 Cambridge Center
    Cambridge, MA 02142
    US
    +1.6174443000    Fax: +1.6174443001

a195.22.198-85.deploy.akamaitechnologie

Akamai Technologies is a service of world-wide scale that offers proxies to third companies. This company counts on a park of thousands of machines linux distribuídas by all the planet. When somebody, like Microsoft, contracts its services, Akamai is in charge to do of "intermediary" between its client (in the example, Microsoft) and those that they want to use the services of the same one. Following with the example, Microsoft months ago contracted the services of Akamai to surpass a DDoS attack that was suffering. This way, the Microsoft pages used from machines of Akamai, not of the own Microsoft. The technology of Akamai allows that in addition the machines that offer the service of proxy are nearest geographically the user. So that you can be calm. Akamai Technologies is not more than a maintenance company in Internet that provides to many other important companies of the sector.

Do you happen to have MSN messenger running? if so that is the culprit of that ip connection. It may not necessarily be MSN using the connection it could actually be a number of M$ programs using the source.

This is a good information, but how do i make certain that I don't have Any Keyloggers that are monitoring my keyboard, chatting, conversation, as it happens zone alarm has gaven me an alert when I have launched Internet explorer and went to type an address . below is the alert.

ZONEALARM SECURITY ALERT
SUSPICIOUS BEHAVIOR
Internet Explorer is Attempting to monitor user activities on this computer.
if allowed it may try to track or log keystrokes (user input), mouse movements/clicks, websites visited  and other user behaviors
application iexplore.exe

Something else I have had another connection running but it usually disappears, like shows for few seconds, I think to my self that it could be ads when i was trying to inter an online scanning website hacker org or something like that...
here's an example..

75.126.76.14-static.reverse.softlayer.com

while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy.  This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, Inc.  By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.  In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam.  You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" field.  In most cases, GoDaddy.com, Inc.
is not the registrant of domain names listed in this database.


Registrant:
   SoftLayer Technologies, Inc
   6400 International Pkwy
   Suite 1200
   Plano, Texas 75093
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: SOFTLAYER.COM
      Created on: 05-May-05
      Expires on: 05-May-16
      Last Updated on:

   Administrative Contact:
      Inc, SoftLayer Technologies  support@softlayer.com
      SoftLayer Technologies, Inc
      6400 International Pkwy
      Suite 1200
      Plano, Texas 75093
      United States
      2144420602      Fax -- 2144420601

   Technical Contact:
      Inc, SoftLayer Technologies  support@softlayer.com
      SoftLayer Technologies, Inc
      6400 International Pkwy
      Suite 1200
      Plano, Texas 75093
      United States
      2144420602      Fax -- 2144420601

   Domain servers in listed order:
      UDNS1.ULTRADNS.NET
      UDNS2.ULTRADNS.NET

and this other website ..

domain:' record.
% Domain ownership disputes should be settled using ICANN's Uniform Dispute
% Resolution Policy: http://www.icann.org/udrp/udrp.htm
% For inquiries about 'by policy' protection, please check directly
% with the appropriate registry (Eurid, AFNIC)
%
% Acces et utilisation soumis a la legislation francaise sur
% les donnees personnelles.
% Copie de tout ou partie de la base interdite sans autorisation de GANDI.
% Le possesseur d'un domaine est l'entite decrite dans
% l'enregistrement 'domain:' correspondant.
% Un desaccord sur la possession d'un nom de domaine peut etre resolu
% en suivant la Uniform Dispute Resolution Policy de l'ICANN:
% http://www.icann.org/udrp/udrp.htm
% Pour obtenir les informations en status 'Protected by policy', contactez
% directement le registre concerne (Eurid, AFNIC)
%
% Date: 2007/06/23 03:04:30


unknown host rejected 41.208.69.236


And This too ?
209-59-189-74.webserversystems.com
 Web Server Systems
   231 Market Place, #180
   San Ramon, CA 94583
   US

   Domain Name: WEBSERVERSYSTEMS.COM

   Administrative Contact, Technical Contact, Zone Contact:
      Web Server Systems
      Todd Mitchell
      231 Market Place, #180
      San Ramon, CA 94583
      US
      (888)748-3526
      http://www.emailaddressprotection.com [email]


-----------------------
Note that those only appears when I goto some specific websites and they only appear for few seconds then disappear...

I have tested my open ports and they resulted as following in the report.
http://www.pcflank.com/scanner_r.htm?session_id=99f7e96e4f32b2c0f3c224f7d7fb3b12&test_page=report

21   stealthed    FTP
23   stealthed      TELNET
1243   stealthed      SubSeven
3128   stealthed        Masters Paradise and RingZero
12345   stealthed     NetBus
12348   stealthed     BioNet
27374   stealthed     SubSeven
31337   stealthed     Back Orifice
135   closed     RPC
137   closed     NETBIOS Name Service
138   closed     NETBIOS Datagram Service
139   closed     NETBIOS Session Service
1080   closed     SOCKS PROXY
80   open     HTTP

OMG!!!!
Subseven
Netbus
BioNet
and Back orifice are all REMOTE CONTROL trojan programs.

You need to boot your computer into safe mode with networking.  Then go to http://housecall.trendmicro.com and run a full scan.

Let it find and remove everything.  Reboot and repeat above, then let it boot normally.  Do another scan and see what you get like you did above with the ports.

This is very important and you need to do this as soon as possible!!!

After this is all done, run Windows update
Http://update.microsoft.com

if this still dosent work, then I would take it to a pc shop for removal before you continue to use it!

Better idea. Format C. Set it up as you want it. Install Deep Freeze (www.faronics.com). Reboot daily. Then it won't matter what you catch.

Chris B

Hello bloodymalth5

Im afraid you got that test wrong becoz it does a test on the ports which may subseven go on it and see weather these ports have any established connection, my test was as I have posted above, the ports are stealthed and only the HTTP Port is open,,,, so am i really hacked ?

One other thing, I have already went to safe mode, when the files of safe mode starts to load the .sys files there's a new file after the agp.sys file called "SPTD.sys" the system asking me weather to load this file or not, I press not and then after going onto admin account i located the file in system32\drivers and deleted it, but this happend for 2 times and the file was deleted succesfully the 2 times but it returned the first time, now i'm not sure if it does returns..!

I have uninstalled Zone Alarm's firewall and purchased for outpost's firewall and it doesn't give me that much of alerts, but sometimes gives me an attack detection alert, up to now there was 2 attacks detected,

Numb 1-
attack type: port scan
IP Address: 122.124.128.63
Scan Port Details: TCP (6588, 7212, PROXY:3128, PRoxy:8080, Socks)


Numb 2
attack type: Port Scan
IP Address: 32.107.56.21
Scan Port Details : TCP (3951,12608,7340, 13022, 7870)

I have ran a trojan test on this website http://www.pcflank.com, and all resulted stealthed, even subseven trojan.

Hello burrcm
Thanx for your suggestion but Format is not an option, I have hundreds of applications installed and I'm not able to reinstall all of them incase I have to reformat, so I want to get rid of being hacked or monitored.

Hello to you Merete
I will try SpywareBlaster, and report to you weather it finds anything.
I already have ccleaner, and I used hijackthis and its all clean.
for monitoring my tcp and udp connections I usually use netstat but Now i got a better tool which is Systernals Tcpview, and it also reports nothing.

Thanks Vee_Mod

I will check the link you post and download hijackthis again, will do analyse on hijackthis.de and will post the result link here.

This is a direct link to my uploaded hijackthis result file.
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3815

moh10ly.

After looking at you post futher, it looks like it said that the ports above are stealthed.  So you should be protected from your router.  However, I would still follow my steps abvove.  Tredmico is a free virus scanner that will remove any virus or spyware that it finds for free, and its an online one.  

After you do that make sure you can get windows updated with the latest critial updates.

I would also go to start, run, type cmd.  Then type in netstat -a and past the output here.

hope this Helps

I have done scan my pc and it shows alot of viruses and trojans, removed all of them, and done scan 2 times, but this was like a week ago. and also scanned my pc with Kasper online scanner. here's the result.

http://www.sendspace.com/file/n0wbk7

I removed most of them and disabled system restore, but couldnt delete those logs in system even in safe mode.... ?

Here's my netstat for the minute, I have only google talk, yah messenger and internet explorer open.

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    home:epmap             home:0                 LISTENING
  TCP    home:microsoft-ds      home:0                 LISTENING
  TCP    home:803               home:0                 LISTENING
  TCP    home:gds_db            home:0                 LISTENING
  TCP    home:5051              home:0                 LISTENING
  TCP    home:5101              home:0                 LISTENING
  TCP    home:netbios-ssn       home:0                 LISTENING
  TCP    home:1055              cs15.msg.dcn.yahoo.com:5050  ESTABLISHED
  TCP    home:1060              sip37.voice.re2.yahoo.com:https  ESTABLISHED
  TCP    home:1160              mg-in-f125.google.com:5222  ESTABLISHED
  TCP    home:3061              mu-in-f147.google.com:http  ESTABLISHED
  TCP    home:3077              damnsmalllinux.org:http  TIME_WAIT
  TCP    home:1029              home:0                 LISTENING
  TCP    home:netbios-ssn       home:0                 LISTENING
  UDP    home:microsoft-ds      *:*
  UDP    home:isakmp            *:*
  UDP    home:1031              *:*
  UDP    home:1054              *:*
  UDP    home:1092              *:*
  UDP    home:2138              *:*
  UDP    home:4500              *:*
  UDP    home:5051              *:*
  UDP    home:ntp               *:*
  UDP    home:netbios-ns        *:*
  UDP    home:netbios-dgm       *:*
  UDP    home:1063              *:*
  UDP    home:1064              *:*
  UDP    home:1900              *:*
  UDP    home:ntp               *:*
  UDP    home:1032              *:*
  UDP    home:1058              *:*
  UDP    home:1164              *:*
  UDP    home:1900              *:*
  UDP    home:domain            *:*
  UDP    home:bootps            *:*
  UDP    home:bootpc            *:*
  UDP    home:ntp               *:*
  UDP    home:netbios-ns        *:*
  UDP    home:netbios-dgm       *:*
  UDP    home:1900              *:*

Yes true and I've done alot of scan by many antispyware, i'll list some of them.
-1 AVG antispware.
2- ad-aware antispyware professional version.
3- a2Anti Malware.
4- F-secure Black light.
5- Spyware Doctor.
6- Spy bot search and destroy.

And alot of other softwares, and most of those were giving me a negative results which is spyware existance.
I have downloaded SuperAntiSpyware pro and scanned in normal mode, got like 3 spywares.

Will do scan in safe mode and will comment later.
regarding the firewall, I have an adsl modem only but I guess my ISP is using proxy server.
I have Outpost Firewall Installed for now.

I still wonder what was that file that loads on safe mode sptd.sys ?

Here's direct link to the scan result of super antispyware.
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3817

ok thanks for posting the log file of your online virus scan.

As Vee Mod stated, the antivirus is only one part.

here is what i want you to do exactly.

1. Boot the computer into safe mode.
2. Download and run Hijack this v2 at this link.http://www.merijn.org/files/HiJackThis_v2.exe
3. Save your Hijack this scan log to the desktop for easy retrival.
4. Download and run rootkit Revealer at http://download.sysinternals.com/Files/RootkitRevealer.zip
5. Download and run F-secure blacklight scanner
 https://europe.f-secure.com/exclude/blacklight/fsbl.exe
6. Run a free online housecall antivirus scan @ http://housecall.trendmicro.com
7. Download and run Spybot http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1
8. boot back to normal mode.  Run a netstat -a and put your hijack this log, and your housecall log somewhere so we can all see it.  

thanks for working so hard on this!

Also while i was typing that you posted :)

Please do the following as i stated.  I see that you used hijack this 1.99.  Please use the one that I requested above

Thanks!

also look at this link for the sptd.sys explaination.

http://www.greatis.com/security/What%20is%20SPTD%23%23%23%23.sys.htm
http://www.bleepingcomputer.com/startups/sptd-13477.html

Ok Bloodymath5 will do it.
But regarding sptd.sys ,, is it safe to let this file in memory ? even though I'm using demon tools for some games on my computer.!

yes its safe.  If you have that program that it uses installed, its ok to leave it.  I have checked several places, and it not spyware/virus.  depending on what type of virus scanner that you use, it could be flagged as spyware because of the way that it tries to hide itsself from windows.

Ok Bloodymath5
I have ran hijackthis and here's the link to the log file
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3819

ran Black light rootkit eliminator and it says that cannot be used in safe mode, please restart in normal mode.
either sysinternals rootkit revealer didnt want to work in safe mode.

I'm scanning now on normal mode and will post the result when done.

I ran Gmer and also ran black light but they result nothing.

I donno what's RkR, but will try to get it on google and scan.
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
the above link is not available but i have tcp view program

TCP View reports nothing bad I guess, here's a screen shot of the established connections at the moment.
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3820

Note that I have scanned my ports using the pcflank website and it reports that ports 135 and 137 are not stealthed, I have outpost firewall but i still donno how to close ports using it..

I will run Combofix and report back too

Everything looks good on your hijack this report, even though you are still running 1.99.  this program version has a security issue with it.  

also everything looks good on your TCP view report (dosent look like any bad ports open)

Keep me posted.

here's the link for hijackthis 2, I'm sorry bloodymath5 i uploaded the wrong file.

http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3821

Everything still looks good on this too!

Looks like it might be getting closer to getting everything back to normal again!

Vee_Mod is absolutely right there in the above post.

Your hijackthis also shows that you're running in diagnostic startup mode, did you disable any startup entries? If so, what were they? Hijackthis will only scan enabled startup programs.

Also sorry I didn't include Combofix link. And RKR, is Rootkit Revealer(which is already suggested)
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

LOL im sorry that was stupid, i know that I should run it on normal mode to check weather any server files or trojan...etc are running

Here's one in normal mode..!
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3822

It still looks fine in normal mode.

Thanks!

Thanx rpqgamegirl i have ran RKR which is short for rootkitrevealer ... It ran and it has 88 items found, when iwanted to save them on desktop, the program hangs and no longer responses which had me to terminate its process.
i'll run it again now.

Also try running rootkit revealer, and blacklight in normal mode.  This will make sure that you got everything off

Thanks for sticking with it.

rootkit revealer is not saving report, It hangs after finishing the scan with the same result of 88 items.

blacklight gives nothing in normal mode, but here's the promising program ComboFix, It found 2 weird files.. check the log file below.

Could these files be servers????
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3823

Combofix found some not so friendly files there, some backdoor trojans.
D:\WINDOWS\system32\SCVVHSOT.exe <-- is a worm, check to make sure this one is gone.
http://www.sophos.com/security/analyses/w32sillyfdcae.html


1.  Run this tool:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe


2.  Also, Download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.


AdobeR.exe<-- in windows folder, flash drive infection, actually combofix would've removed this file if it was present, so maybe it's just the reg entries left.
RavMon.exe<-- R/Jump worm, flash drive infection

D:\WINDOWS\system32\nhatquanglan17.exe
Windows\Tasks<-- check your windows\tasks if there are any suspicious jobs.

2007-06-22 11:56: <-- also there are a lot of files on this date and time that looks suspicious, what did you install at that very minute? or what did happened?

you should try using this program. Looks like your PC is overly infected with trojans/spyware. Sub7 is one of the biggest hacking tools available along with all the others you had in there. you need to make sure you have TELNET disabled. you can do this by going to Start > Run > services.msc

when the window opens up, scroll down until you find Telnet. Right click > properties > and select "disable".

If I were you i'd install Hitman Pro (http://www.techspot.com/downloads/1278-hitman-pro.html) let it run and see what it finds. It's an open source spyware program that utilizes many heuristics from other programs to find viruses/trojans/spyware. Also you should unplug your network connection when you are running scans.

rpggamergirl I download the file squatb-c.ide but i'm not able to run it do to no assigned application and I don't have Sophos Antivirus to run it with, unless you want me to download it and install it instead of Nod32 ..?

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
I downloaded and ran this flash and says done after I have my stick memory in the USB.

I downloaded this MsnCleaner_eng too and found a file called login.dll in my system32 folder and it was deleted.

The files AdobeR.exe ,RavMon.exe and D:\WINDOWS\system32\nhatquanglan17.exe
are not existed..

Yesterday I checked my windows tasks folder on command line with the command dir /a/s
there's a hidden file, which i deleted i'm not sure what was the file's name but i deleted it right away.

Here are the existed files now in my tasks folder
 Directory of D:\WINDOWS\Tasks

06/23/2007  05:44 PM    <DIR>          .
06/23/2007  05:44 PM    <DIR>          ..
08/23/2001  07:00 AM                65 desktop.ini
04/25/2007  03:58 AM               402 MP Scheduled Quick Scan.job
06/25/2007  03:00 PM                 6 SA.DAT
06/25/2007  07:03 AM             2,620 SCHEDLGU.TXT
 
I'm not really sure about what i was doing the last two weeks , i was uninstall and reinstall alot of programs, most of them are antispyware programs.

telnet is disabled, but when I ran pcflank's quick test again, it shows that I have ports 1080, 135,136,137,138,139 are opened , how do i close them without affecting any programs?

Will post the result of hitmanpro after the scan is done.

it's actually a pain to do that in windows. use this tool to look at the open ports on your machine. The "bad" ports will show up in red.

http://www.nirsoft.net/utils/cports.zip

If you need further instructions:

http://www.nirsoft.net/utils/cports.html

Ok will do that FOTC, Now i'm still doing the scan you requested, my pc's heat is getting over the limit, i hope it doesnt butn with 3 fans inside LOL.

Vee_Mod
Thanks for the hint, I'll be waiting for her.

Here's the Hitman report , I guess some windows updates couldn't be Installed
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3826

I will check microsoft windows updates for any available downloads.

>>I download the file squatb-c.ide but i'm not able to run it <<
My post wasn't clear, it was just a link for the info on that particular file, didn't mean for you to download anything from that link, Sorry.
Since you already have Nod32 and lot's of experts here like Nod32 you might as well stick with that one.

>>The files AdobeR.exe ,RavMon.exe and D:\WINDOWS\system32\nhatquanglan17.exe
are not existed..<<
That's alright, "AdobeR.exe, RavMon.exe" combofix only listed them as reg entries so that means they're just leftovers and the flash_Disinfector should've cleared those reg entries.


D:\WINDOWS\system32\SCVVHSOT.exe
D:\WINDOWS\system32\nhatquanglan17.exe
The files above are listed as among the files created and or modified in the last 30 days, so just check again please to make sure that they no longer exist.
Show hidden files and folders first and then look for them by navigating windows explorer.

IF you use "Search" companion to look for them, you need to configure Search to look for hidden files and folders because by default it will not look for hidden files even if Folder Options in Explorer is already showing hidden files.
Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type the file and click Search.


And windows\tasks folder is clean! no suspicous jobs.

Thanks Vee_Mod, :)

bloodymalth5 I checked for Updates, No urgent updates are available...
I'll try to search for the security update and will try to install it under safe mode.


And yes rpggamergirl, I was infected by the SCVVHSOT.exe file nearly less than a month and that was from my external HDD, I had that time Avast Pro antivirus which couldnt remove it or even detect it, I had to use my experince when removing all these files and this is exactly what I have done to remove them.. Now I have uninstalled avast and I got nod32 which is doing a good job.. I guess.

I already have hide system files and folders unchecked and I went to my windows folders, there are weird files... here are some
TASKMAN.exe with size of 15 kbs
Now I know now Task manager is running from windows\system32 and has the size 133 kb. ? what is this file.

And also this file WMSysPrx.prx..
WMSysPr8.prx
WMSysPr9.prx
PCGWIN32.LI4
IntAnti.exe
BiImg.dll
I'll try to upload these files to some online file scanner to check them but what do u think ?

FOTC
I downloaded the tool u gave me, its really good tool, as it shows all the ports and all their assigned files..

Here's currports scan screen shot.
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3833

I guess ports 135,137,138,139 are being used by the system, How do i block them and is it safe to do so ?
Will that affect my Home network, as I have a home network with 3 computers, My computer is the master which distrubtes the internet connection to the other 2.

Hello bloodymalth5

I got the link for the security Update, here's the link
http://www.microsoft.com/downloads/details.aspx?FamilyId=033C41E1-2B36-4696-987A-099FC57E0129&displaylang=en

This update addresses the vulnerability discussed in Microsoft Security Bulletin MS06-013.

But It's for Internet explorer 6 sp1 ? I have Internet explorer version 7 and I have SP2 ? so Do I still have to download and install it?

Well, from the results I would recommend that you uninstall Yahoo messenger from your pc. At least for the time being. You can use the CurrPort Program to disable the ports. Just click the connection and click the Red X at the top of the program. I think you can also right click the connection to end it.

the IP address 41.208.66.6 is from Libyan Arab Jamahiriya. So I would suggest that you are being monitored or hacked. Did you contact your ISP to request they change your IP address? You SHOULD do this asap.

I would recommend you KILL all the instances of the 41.208.66.6 IP address. You can go into your router or firewall and block this IP address do it ASAP.

Hello FOTC..
Thanks for your prompt reply, I forgot to tell you that this IP Address is where I am in, I'm actually staying in Libya now... sorry my bad.

oh ok then....lol..disregard that. I would still recommend you talk to your ISP and request a change of IP address. Also, have you checked your online accounts for foul play..such as bank accounts, etc. I'd start changing your passwords to everything. You do have the Administrator account password protected right?

Yah I do for both my account and my admin account they are both password protected...

I have changed my important e-mail's passwords, but is there anyway to detect keyloggers instead of the ones I used, I have used Anti keylogger and I hate key loggers but both of them installed some files which my antivirus detected as trojans/keyloggers and deleted them.

I probably think that it maybe a keylogger which I tried to detect with all the antispywares but it doesnt work.

When I used kasper online scanner, I have got a detailed result viewed some files in my system and windows folders, they can't be open nor deleted and they end with the extension .log ...!
What I know about keyloggers that they create log files and then in a specific time they send those log files to the hacker ...! So in this case I guess the hacker wont be connected to my computer for a lot of time...!

Is there any good anti keylogger that you would recommend ?

I know one of the best anti-keyloggers is SpyCop but you have to purchase that. It is used by the US Government and it has won numerous awards too.

.log files can be used by a number of programs. Many anitvirus programs create .log files as well as other products. Do a search for ".log"  (without the quotes) on your system. Look at the directories. I just did one on my pc and i have 141 files with the .log extension...it doesn't necessarily mean you have a keylogger still.

I downloaded spycop and scanned but found nothing, I also tried used RKR "Rootkitrevealer" once again and I took some screen shots before the attempt to save, and here are some of them, which i guess the most important..

1-
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3840
2-
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=3841

now The log files that I mentioned are as the following, this what kasper online scan reports .

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped  
 
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped  
 
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat  Object is locked  skipped  
 
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped  
 
D:\Documents and Settings\LocalService\NTUSER.DAT  Object is locked  skipped  
 
D:\Documents and Settings\LocalService\ntuser.dat.LOG  

D:\Documents and Settings\Moh10ly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped  
 
D:\Documents and Settings\Moh10ly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped  

D:\Documents and Settings\Moh10ly\NTUSER.DAT  Object is locked  skipped  
 
D:\Documents and Settings\Moh10ly\ntuser.dat.LOG  Object is locked  skipped  
 
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped  
 
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped  
 
D:\Documents and Settings\NetworkService\NTUSER.DAT  Object is locked  skipped  
 
D:\Documents and Settings\NetworkService\ntuser.dat.LOG  Object is locked  skipped  

??
what do u think?

These too..

D:\WINDOWS\Debug\PASSWD.LOG  Object is locked  skipped  
 
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log  Object is locked  skipped  
 
D:\WINDOWS\Sti_Trace.log  Object is locked  skipped  
 
D:\WINDOWS\system32\CatRoot2\edb.log  Object is locked  skipped  
 
D:\WINDOWS\system32\CatRoot2\tmp.edb  Object is locked  skipped  
 
D:\WINDOWS\system32\config\Antivirus.Evt  Object is locked  skipped  
 
D:\WINDOWS\system32\config\AppEvent.Evt  Object is locked  skipped  
 
D:\WINDOWS\system32\config\default  Object is locked  skipped  
 
D:\WINDOWS\system32\config\DEFAULT.LOG  Object is locked  skipped  
 
D:\WINDOWS\system32\config\Internet.evt  Object is locked  skipped  
 
D:\WINDOWS\system32\config\ODiag.evt  Object is locked  skipped  
 
D:\WINDOWS\system32\config\OSession.evt  Object is locked  skipped  
 
D:\WINDOWS\system32\config\SAM  Object is locked  skipped  
 
D:\WINDOWS\system32\config\SAM.LOG  Object is locked  skipped  
 
D:\WINDOWS\system32\config\SecEvent.Evt  Object is locked  skipped  
 
D:\WINDOWS\system32\config\SECURITY  Object is locked  skipped  
 
D:\WINDOWS\system32\config\SECURITY.LOG  Object is locked  skipped  
 
D:\WINDOWS\system32\config\software  Object is locked  skipped  
 
D:\WINDOWS\system32\config\SOFTWARE.LOG  Object is locked  skipped  
 
D:\WINDOWS\system32\config\SysEvent.Evt  Object is locked  skipped  
 
D:\WINDOWS\system32\config\system  Object is locked  skipped  
 
D:\WINDOWS\system32\config\SYSTEM.LOG  Object is locked  skipped  
 
D:\WINDOWS\system32\config\Windows_OneCare_Evt.evt  Object is locked  skipped  
 
D:\WINDOWS\system32\drivers\sptd.sys  Object is locked  skipped  
 
D:\WINDOWS\system32\h323log.txt  Object is locked  skipped  
 
D:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log  Object is locked  skipped  
 
D:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl  Object is locked  skipped  
 
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR  Object is locked  skipped  
 
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP  Object is locked  skipped  
 
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked  skipped  
 
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP  Object is locked  skipped  
 
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP  Object is locked  skipped  
 
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA  Object is locked  skipped  
 
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked  skipped  
 
D:\WINDOWS\Tasks\SCHEDLGU.TXT  Object is locked  skipped  
 
D:\WINDOWS\Temp\Perflib_Perfdata_79c.dat  Object is locked  skipped  
 
D:\WINDOWS\Temp\_avast4_\Webshlock.txt  Object is locked  skipped  
 
D:\WINDOWS\wiadebug.log  Object is locked  skipped  
 
D:\WINDOWS\wiaservc.log  Object is locked  skipped  
 
D:\WINDOWS\WindowsUpdate.log  Object is locked  skipped  

Ok thank you guys so much for all the efforts.
Now I guess I should come to close this question and split points between experts.
But one last thing, Is there anyway avoid the tracing of the websites I visit by my ISP, I mean that I dont wanna be spyed on by my ISP while surffing on the internet... ? any good programs could do so?

well, to be honest with you, the only way you can keep your ISP from seeing what you are doing is to not get on the internet. they have great powers ya know...but you can take steps to hide yourself better than others by means of a proxy server. a good one is http://www.hide-my-ip.com/  

hide-my-ip would not prevent your ISP from seeing what you are doing, its just acting as a proxy
your ISP will still know exactly where your surfing only the endpoint server would not know
plus they have a tool 'hide my mac', at the first hop your mac has changed anyways

I would not bother with that product or anything from that company

Also just cuz your hit on a port does not mean its a false positive as people suggested. There are thousands and thousand of scanners on the net looking for unfirewalled/unpatched systems. Your firewall is reporting a true positive its just in your case you dont have to worry about it.

hmm sad info lol... But what about this browser Torpark browser?
I had this information about it.
Torpark is a program which allows you to surf the Internet anonymously. Download Torpark and put it on a USB Flash keychain. Plug it into any internet terminal whether at home, school, work, or in public. Torpark will launch a Tor circuit connection, which creates an encrypted tunnel from your computer indirectly to a Tor exit computer, allowing you to surf the Internet anonymously. Torpark is small, portable, clean, open-source, free of spyware/adware, and free.

Is surfing the internet anonymously still letting ur ISP tracing you?

Heres the line from hide-myip that worries me:

"proxy IP addresses for totally anonymous browsing."

Now Torpark is different as you connect locally and then are sent over an encrypted connection to a tor server and then to the visiting the URL.
So yes Torpark provides a way to hide yourself from your ISP.

WoW ,, this is really a very good info lol... got them mofos.  thank you so much joele23, i'll read more on torpark on their official website.

I would recommend a site like cotse.net.  They offer proxying on several levels, from Web proxies, to SOCKS, to others.  The advantage of using a service like this (costs around $10 a month) is that you are insulated from a would-be hacker, as the hacker would just end up probing a well-armored ISP.

Torpark is good, although you are trading speed for very secure anonymity.  Using a commercial site like cotse.net or anonymizer is a good alternative to protect your usual IMs from attack, but still allow you decent connection latency for real time chatting.

Sorry, wasn't able to come back.

Everything looks okay, and the log didn't show anything suspicious, that's great.