View Full Version : about suspicious activity, Cyberghost virus?


I'm confused about something and hoping someone in here can clear it up. About a year ago I downloaded and used the Cyberghost VPN. After six months I got bored with it and uninstalled it. About a week ago I downloaded from Bleeping that Glasswire program. Since I'm not overly knowledgeable about computing I tend not to fully understand many of these programs, including this one. Anyway, Glasswire seems to indicate that Cyberghost.com servers in Germany and Romania are doing a lot of communicating with my computer, some files as big as 2 mb. And I'm trying to come up with any good reason why this should be. Nothing I seem to be doing seems to offer any rational explanation why they would need to communication so often--at all, really--with my computer.

Anyway, very quickly, I went into my firewall (Which I rarely do) and found something called "Check point VPN," and I'm wondering if that isn't something they installed and are still using for their own, possibly nefarius, reasons. So I disallowed that item, and hopefully it will do the trick. There's another vpn item, "f5 vpn," but that seems like something l might need, I'm not sure. I really don't know what the heck I'm doing. So, can anyone tell me why Cyberghost is taping my computer? and what I should do, if anything.

I should add, I have run about 6 different anti-maleware, including MB antiroot, and got zilch infections. So that gave me no clues.

You mention Check Point VPN and F5 VPN.

Is this something you found in the inbound and outbound firewall rules? More precisely rules named CheckPoint.vpn and f5.vpn.client?

Yes, they're in both inbound and outbound, private and domain, any program, and activated. Don't know if they are supposed to be there or if they were added later because of some download, like Cyrberghost, for example. It's just suspicious that Cyberghost.com is communicating with my computer because none of my activity accounts for it. I block third party cookies on Firefox, I use Ghostery to block crap, I have the "flag" add on that tells me which servers my browser is calling up, never has it been Cyberghost's servers. But then I check Glasswire and it says an app has communicated with Cyberghost.com, usually Romania or Germany, as a Host Process for Windows Services. Problem is I don't know much, so this could be nothing at all to worry about. I'm more curious than anything. Am I wrong in my puzzlement with this?

These rules are not in Windows 7 Firewall by default, but they are on my PC too. I guess these rules are created when you created VPN connections (I use another VPN provider than you).

This seems normal to me, as Check Point and F5 offer corporate VPN solutions.

No, it is not normal that you still see activity to Cyberghost when you have uninstalled it. As the "Host Process for Windows Services" is reported as the origin of these connections, check your list of Windows Services for anything related to Cyberghost or VPN.