Help

[Dave McDonald]

I believe that I have been infected by some kind of spyware. Some kind of
program is connecting to my computer via the LAN and port 139. I watched a
program in my task bar exit, but there was no indication something was
exiting, it just simply was there, and then was not (it was an IE page that
had been minimized to the task bar). I believe that someone is looking or
can look at the files my computer while I'm on it, but without my
knowledge - and the files I have open.

Does anyone one have any idea what program could be doing this? I have run
spybot, hijackthis, spysweeper, and X-cleaner. X-cleaner found a
"messenger" file running and asked if I wanted to keep it I said no (I do
not run any instant message programs), but I still see the connection from
within the LAN (10.0.0.12) on port 139. I have searched the web for spyware
/ remote control software and I'm not having very much luck.

Please help!

[me3]

Dave McDonald wrote:
> I believe that I have been infected by some kind of spyware. Some kind of
> program is connecting to my computer via the LAN and port 139. I watched a
> program in my task bar exit, but there was no indication something was
> exiting, it just simply was there, and then was not (it was an IE page that
> had been minimized to the task bar). I believe that someone is looking or
> can look at the files my computer while I'm on it, but without my
> knowledge - and the files I have open.
>
> Does anyone one have any idea what program could be doing this? I have run
> spybot, hijackthis, spysweeper, and X-cleaner. X-cleaner found a
> "messenger" file running and asked if I wanted to keep it I said no (I do
> not run any instant message programs), but I still see the connection from
> within the LAN (10.0.0.12) on port 139. I have searched the web for spyware
> / remote control software and I'm not having very much luck.
>
> Please help!
>
>
try faber toys to find out what is running and which programs start at
system startup.

You can find it here: http://www.faberbox.com/fabertoys.asp

hope this will help

goodluck

[Dave McDonald]

Thank you.

I tried "faber toys". Nothing out of the ordinary comes up.

As an add'l note - The event viewer indicates that something is writing to
the registry it shutdown - does not tell me what it is. Any ideas for a
program that will record / log start up and/or shutdown? I did a boot log,
but I have not had the time to look at every program/driver that loads. I
am running Win2K. Something does seem strang at C:/docs and set/user
name/Application Data/Microsoft/Protect - there is a file that begins with
S-1-5-1-lots of numbers. Any possibility thta's my problem?

Thank you for your ideas and help!!!


"me3" <me3@me.com> wrote in message news:bqapav$4a8$1@reader11.wxs.nl...
> Dave McDonald wrote:
> > I believe that I have been infected by some kind of spyware. Some kind
of
> > program is connecting to my computer via the LAN and port 139. I
watched a
> > program in my task bar exit, but there was no indication something was
> > exiting, it just simply was there, and then was not (it was an IE page
that
> > had been minimized to the task bar). I believe that someone is looking
or
> > can look at the files my computer while I'm on it, but without my
> > knowledge - and the files I have open.
> >
> > Does anyone one have any idea what program could be doing this? I have
run
> > spybot, hijackthis, spysweeper, and X-cleaner. X-cleaner found a
> > "messenger" file running and asked if I wanted to keep it I said no (I
do
> > not run any instant message programs), but I still see the connection
from
> > within the LAN (10.0.0.12) on port 139. I have searched the web for
spyware
> > / remote control software and I'm not having very much luck.
> >
> > Please help!
> >
> >
> try faber toys to find out what is running and which programs start at
> system startup.
>
> You can find it here: http://www.faberbox.com/fabertoys.asp
>
> hope this will help
>
> goodluck
>

[data64]

"Dave McDonald" <DaveMcD@comcast.net> wrote in
news:c05yb.254669$275.927435@attbi_s53:
> Does anyone one have any idea what program could be doing this? I
> have run spybot, hijackthis, spysweeper, and X-cleaner. X-cleaner
> found a "messenger" file running and asked if I wanted to keep it I
> said no (I do not run any instant message programs), but I still see
> the connection from within the LAN (10.0.0.12) on port 139. I have
> searched the web for spyware / remote control software and I'm not
> having very much luck.

I think port 139 is one of the Netbios ports (see
http://www.webopedia.com/quick_ref/portnumbers.asp).
So on a (MS) LAN, if you have file sharing, etc enabled, you are bound to
see connections on this port.

Is the "messenger" thing X-cleaner found, something to do with the
messenger service? (Messenger service has nothing to do with any IM
programs).

data64

[Dave McDonald]

But there are not any shared drives on the infected workstation...

"data64" <me@privacy.net> wrote in message
news:Xns944386ECA19E9Data64Bigfootcom@130.133.1.4. ..
> "Dave McDonald" <DaveMcD@comcast.net> wrote in
> news:c05yb.254669$275.927435@attbi_s53:
> > Does anyone one have any idea what program could be doing this? I
> > have run spybot, hijackthis, spysweeper, and X-cleaner. X-cleaner
> > found a "messenger" file running and asked if I wanted to keep it I
> > said no (I do not run any instant message programs), but I still see
> > the connection from within the LAN (10.0.0.12) on port 139. I have
> > searched the web for spyware / remote control software and I'm not
> > having very much luck.
>
> I think port 139 is one of the Netbios ports (see
> http://www.webopedia.com/quick_ref/portnumbers.asp).
> So on a (MS) LAN, if you have file sharing, etc enabled, you are bound to
> see connections on this port.
>
> Is the "messenger" thing X-cleaner found, something to do with the
> messenger service? (Messenger service has nothing to do with any IM
> programs).
>
> data64