Possible hacking of Spybot's 21320 Port

[LDMarks]

I have been using Spybot for many years, but have (today) been forced to remove it because it appears that it has been either hacked, or a vulnerability has been found.

Somehow my computer got infected and was acting as an open http proxy. HitmanPro found and closed Port 8080, but today Port 21320 was open and being used. (Someone at Northwestern monitors the traffic.) Following http://stackoverflow.com/questions/8688949/how-to-close-tcp-and-udp-ports-via-windows-command-line[/url] the process with this port open was ... Spybot.

After unistalling Spybot, IE showed now that my LAN was configured to use 21320 as a proxy. After deleting this something else is still setting that as a proxy (from Hitman), so it may be that something else is still present to hack that port, but its presence was hidden. Hitman closed that port for me (I wish I knew what it did).

I am not an IT professional, just a lowly Prof, so this might be wrong and there might still be something nasty....

[Juliet]

Tell ya what we can do, look for malware and remove it then change out settings and see what happens.

Which browser do you mainly use....Firefox - Google Chrome?

Use NoScript here for Firefox, https://addons.mozilla.org/en-US/fir...ddon/noscript/
Google Chrome, https://chrome.google.com/webstore/d...pidmdajjpkkcfn

Then, read over instructions how to change your Proxy settings. IT's an easy read with easy to follow instructions.

http://www.ehow.com/how_6376938_proxy-settings.html

~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. rkill.pif
5. WiNlOgOn.exe
6. uSeRiNiT.exe

~~~~~~~~~~~~~`

Please download Farbar Recovery Scan Tool

(use correct version for your system.....Which system am I using?)
and Tutorial http://www.geekstogo.com/forum/topic...ery-scan-tool/



Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Please post
Rkill log
FRST.txt and the Addition.txt

[LDMarks]

I will do what is suggested in a bit and post information, but separate from this I will comment that I already did most of what is suggested. A key point is that the Proxy was NOT solved/removed by what was suggested in the post. I ran rkill and it did not find the issue, neither did HitmanPro, TrendsMicro (the USB scan I think), Kaspersky, adwcleaner, JRT, Malware Bytes, NPE, Symantec (and maybe one or two others). The solution was to uninstall Spybot when the proxy appeared in the IE LAN settings. This strongly suggests that Spybot configuration files got hacked. I have these (probably) on a backup, I assume they are in Local Data or similar if someone can suggest where to look.

One thing which concerns me is that there might be a connection to the automatic proxy detection which now seems to be the Microsoft default, and I wonder if this was (or will be) set by Windows Updates.

Some comments inlined.

Tell ya what we can do, look for malware and remove it then change out settings and see what happens.

Which browser do you mainly use....Firefox - Google Chrome? Both

Use NoScript here for Firefox, https://addons.mozilla.org/en-US/fir...ddon/noscript/
Google Chrome, https://chrome.google.com/webstore/d...pidmdajjpkkcfn

Then, read over instructions how to change your Proxy settings. IT's an easy read with easy to follow instructions.

http://www.ehow.com/how_6376938_proxy-settings.html
This did not show anything

~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. rkill.pif
5. WiNlOgOn.exe
6. uSeRiNiT.exe

rkill was ran, did not repair the 21320 port issue

~~~~~~~~~~~~~`

Please download Farbar Recovery Scan Tool

(use correct version for your system.....Which system am I using?)
and Tutorial http://www.geekstogo.com/forum/topic...ery-scan-tool/



Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Please post
Rkill log
FRST.txt and the Addition.txt

[Juliet]

One thing which concerns me is that there might be a connection to the automatic proxy detection which now seems to be the Microsoft default, and I wonder if this was (or will be) set by Windows Updates.

As far as I know it is a Microsoft Windows default but, now if it was set or changed under Windows Updates is a good question.
I checked to see if there was a networking forum here and did not find one. If you like I can suggest one here http://forums.whatthetech.com/index.php?showforum=128 or http://forums.pcpitstop.com/index.ph...t-connections/ that might be able to look into this further than I can, I just don't have that knowledge.

If you would like to continue with looking for malware, let's proceed.

[LDMarks]

Tell ya what we can do, look for malware and remove it then change out settings and see what happens.

Please post
Rkill log
FRST.txt and the Addition.txt

Attached, I had to zip FRST.txt

[LDMarks]

Posting elsewhere is a thought, but those forums don't exactly look to be specific enough so let's leave it for now.

As far as I know it is a Microsoft Windows default but, now if it was set or changed under Windows Updates is a good question.
I checked to see if there was a networking forum here and did not find one. If you like I can suggest one here http://forums.whatthetech.com/index.php?showforum=128 or http://forums.pcpitstop.com/index.ph...t-connections/ that might be able to look into this further than I can, I just don't have that knowledge.

If you would like to continue with looking for malware, let's proceed.

[Juliet]

Java 7 Update 45 (x32 Version: 7.0.450 - Oracle) <-- is out of date
Uninstall/remove older versions

Install Java:Version 7 Update 51

Please go here to http://www.java.com/en/download/wind....jsp?locale=en


http://www.java.com/en/download/help/plugin_cache.xml
clear the Java cache

~~~~~~~~~~~~~

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

start
HKLM-x32\...\Run: [] - [X]
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {49666E02-3F1D-4082-8D00-2594D65C9293} URL =
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
C:\Users\LDM\AppData\Local\Temp\Quarantine.exe
end

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


~~~~~~~~~~~~~~~~~~~~`

Go here to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan completes, press the LIST OF THREATS FOUND button
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
• Include the contents of this report in your next reply.
• Press the BACK button.
• Press Finish

please post:
Fixlog.txt
Eset log

[LDMarks]

A few comments, then see attachments:
* The hosts file entries were all Spybot redirects to 127.0.0.1, which appear to be standard (deleted anyway).
* The no scripts that you suggested I install appear to be problematic, for instance the break the Java uninstall old versions and ESET won't run in Chrome (used IE).
* There is an issue with Java for both Chrome & Firefox which I've seen before. Probably OK although the verify Java in the web page no longer works.
* You did not mention ee (which I noticed was in the prior logs) -- this is just a simple linux editor as I hate vi.

The EST scanner is taking a long time (forever to scan cygwin), and I have to use my laptop to teach I class in a few minutes so have to terminate it (and rerun later). So far no threats found. The other log is attached as I have to break my internet connection.

[Juliet]

A few comments, then see attachments:
* The no scripts that you suggested I install appear to be problematic, for instance the break the Java uninstall old versions and ESET won't run in Chrome (used IE).
* There is an issue with Java for both Chrome & Firefox which I've seen before. Probably OK although the verify Java in the web page no longer works.

The EST scanner is taking a long time (forever to scan cygwin), and I have to use my laptop to teach I class in a few minutes so have to terminate it (and rerun later). So far no threats found. The other log is attached as I have to break my internet connection.

I didn't post the Java verify page, (I might be misunderstanding here) I posted how to clean the Java cache,
here is the Java verify page http://www.java.com/en/download/installed.jsp

Eset is a very thorough scanner that most all malware techs use including myself. No malware found when scanning previously is a good thing.

[LDMarks]

ESET Online reports no threats, which is what I expected and I believe I previously removed everything.


The main point of my post in the first place was to inform whoever runs SpyBot that they have a vulnerability, and in fact SpyBot can be a source of malware and/or hide an open proxy.