Is this spyware? Acessing port 5070

[MikeHunt79]

My firewall is popping up with this all of a sudden:

I'm updating my virus scanner now, but it needs to reboot, is there anything I can do if the virus scanner does not work?

 

[MikeHunt79]

Traceroute gives me this, it appears this IP address resolves to Russia:

5 240 ms 279 ms 213 ms cat01.Frankfurt.gldn.net [195.66.224.205]
6 325 ms 340 ms 335 ms cat07.Moscow.gldn.net [194.186.157.137]
7 314 ms 311 ms 312 ms te1-1.maxwell.msk.wahome.ru [195.239.10.202]
8 254 ms 309 ms 293 ms 92.241.168.139

What can I do about this? Just the normal spyware/malware scans and hijackthis log?

EDIT: Reverse DNS gives this:

Search results for 92.241.168.139

results for 92.241.168.139:

wormbot.net point to 92.241.168.139.... ... wormbot.net, a, 92.241.168.139 ? Russian Federation ? 92.241.160.0/19. Wahome IP's =) ...

Looks like someone tried to botnet my machine, the worst thing is only the firewall blocked it. My virus scanner has not... very strange.

Any advice on how to get this crap off my machine?

 

[The Mad Rapper]

I'd install a few different AVs and spyware type apps, reboot in safe mode and try scanning with those, see what it throws up.

Do you have a static IP? If you are on dynamic, it could be that the hacker had previously infected a PC with that IP address (so another customer of your ISP) and it's trying to connect again, not realising the PCs are different.

Do some investigation on your PC, but no need to panic just yet.

 

[Hairybudda]

Get a rootkit scanner

 

[MikeHunt79]

Ok, this came up earlier, incoming connection instead, same port, different IP:

I'd install a few different AVs and spyware type apps, reboot in safe mode and try scanning with those, see what it throws up.

Do you have a static IP? If you are on dynamic, it could be that the hacker had previously infected a PC with that IP address (so another customer of your ISP) and it's trying to connect again, not realising the PCs are different.

Do some investigation on your PC, but no need to panic just yet.

So far I've scanned using the latest comodo AV, and a fully updated clamwin, along with Malwarebytes' Anti-Malware. Anything else worth trying?

Get a rootkit scanner

I'll give this a go.

 

[Bane]

Not used it for some time, but Super Anti Spyware scanner used to be good.

Have you tried scanning in safe mode? And maybe grab a trial of something like Kaspersky.

Out of interest what AV did you have installed intially.

 

[MikeHunt79]

I have Comodo AV installed, fully updated, and it normally stops things like this.

I'm not sure why it didn't so I can only assume it's a very sneaky program.

I've tried a rootkit, it didn't find anything bad, but spybot did:

I'll give the Super Anti Spyware scanner a go, as I really want to get rid of this as I need to get a song finished for Tues!

EDIT: Those things spybot fond were just cookies

 

[theheyes]

The first connection was outbound so it suggests something is already on the machine. Try an online scan because the integrity of anything installed locally is questionable.

http://www.kaspersky.co.uk/virusscanner

 

[Meatball]

I have Comodo AV installed, fully updated, and it normally stops things like this.

I'm not sure why it didn't so I can only assume it's a very sneaky program.

I've tried a rootkit, it didn't find anything bad, but spybot did:

I'll give the Super Anti Spyware scanner a go, as I really want to get rid of this as I need to get a song finished for Tues!

EDIT: Those things spybot fond were just cookies

Install Spywareblaster and update it to prevent them cookies coming back. All it does is update IE & Firefox's block cookies database so these cookies get blocked . It doesn't run in the background either.

 

[MikeHunt79]

The first connection was outbound so it suggests something is already on the machine. Try an online scan because the integrity of anything installed locally is questionable.

http://www.kaspersky.co.uk/virusscanner

Cheers, I'll give this a go, I was getting both inbound and outbound connections to two different IP Russian addresses, so I agree it's something on my machine. I'm behind a (firewalled) router too meaning it's not something out there port-scanning away...

Install Spywareblaster and update it to prevent them cookies coming back. All it does is update IE & Firefox's block cookies database so these cookies get blocked . It doesn't run in the background either.

I'm not bothered about tracking cookies on IE really, I only use IE for windows update and skydrive, I do everything else in FireFox which has noscript and adblock addones installed. Spybot got rid of the cookies, I guess they must just be from the adverts on skydrive...

 

[MikeHunt79]

Ok, full scan from Super Anti Spyware only found tracking cookies, and kaspersky is doing a full scan now.

The process is still showing up in my firewall, I think it's not explorer.exe itself but something controlling explorer.exe maybe?

This is really really annoying!

 

[MikeHunt79]

Any other suggestions on what I can try to find it, also are there any recommended rootkit scanners?

 

[theheyes]

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Just beware that the output is almost useless to someone who doesn't know how to interpret it, so read everything on the page.

 

[MikeHunt79]

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Just beware that the output is almost useless to someone who doesn't know how to interpret it, so read everything on the page.

Cheers, I fired it up, and got this error:

Could it be that the virus/rootkit is causing this error as I have CMD on my system.

 

[waxapple]

Cheers, I fired it up, and got this error:

Could it be that the virus/rootkit is causing this error as I have CMD on my system.

Copy/paste this into a shell.

cmd.exe /c chcp 65001 && set DIRCMD= && "cmd /c dir /4 /a C:\"

Should list the root of your C drive
It may be that your PATH variable is incorrect, another forum indicated that is a likely cause.
Should at least have this in your path:

Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

Should also allow you to start the tool

 

[Rabtech]

Combofix, nuff said

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be very surprised if that doesnt get it.

 

[MikeHunt79]

Copy/paste this into a shell.

cmd.exe /c chcp 65001 && set DIRCMD= && "cmd /c dir /4 /a C:\"

Should list the root of your C drive
It may be that your PATH variable is incorrect, another forum indicated that is a likely cause.
Should at least have this in your path:

Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

Should also allow you to start the tool

That worked a treat, it's scanning now.

Combofix, nuff said

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be very surprised if that doesnt get it.

Downloaded it, I'll give it a go once the rootkit thing has finished it's business (It's Business Time!)...

 

[thevet]

malwarebytes is probably the best free program around

 

[MikeHunt79]

Combofix, nuff said

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be very surprised if that doesnt get it.

Well, I eventually managed to try combofix, I know it's normally the last resort but it managed to sort it... I no longer have the program show up in my firewall. Thanks.

malwarebytes is probably the best free program around

Already tried that one, it didn't find it...

 

[Bane]

Do you plan to format once you've finished the impending work, just to be sure?

I like the look of your firewall as it looks pretty intutive to use. And it shows outbound monitoring is useful.