Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Suspicious TCP/UDP connections on Currports

25 Jan 2014   #11
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Please uninstall SpyBot and RUBotted. You can reinstall them if you want after we get through this exercise.

There are two, what look to be install pkgs, under your user profile. Both are world painter (minecraft?)
If you could verify that and you don't need them, I'll complete the fix script and let FRST take care of them.
In other words, you don't have to delete them FRST will.
I've uninstalled the Spybot and RUBotted, and the two worldpainter files in my user profile. May I ask what this fix script is?


My System SpecsSystem Spec
.
25 Jan 2014   #12
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Sure, I built the fix script using information from the FRST.txt file.

Instead of me explaining it, I'll post it with instructions. You can look at it and see what it will fix.

The fix is to remove the files in the script. The two World Painter exe files are at the top. If you don't want FRST to remove them, delete those two lines, but ONLY those two lines after you paste the script into a local text file.

The start and end must be there or the script won't work

start
..
..
end

The rest of the files are in your TEMP folder, so you can feel comfortable fixing those.

The instructions and the script are below:

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the Farbar script between the lines (but not the lines) below
Save it to your Desktop, and name it: fixlist.txt


start
C:\Users\Andrew\worldpainter_64_1.2.1.exe
C:\Users\Andrew\worldpainter_64_1.6.4.exe
C:\Users\Andrew\AppData\Local\Temp\DivXSetup.exe
C:\Users\Andrew\AppData\Local\Temp\jansi-32-git-Bukkit-1.6.4-R2.0-1-g988f599-b2919jnks.dll
C:\Users\Andrew\AppData\Local\Temp\jansi-64-git-Bukkit-1.6.4-R2.0-1-g988f599-b2919jnks.dll
C:\Users\Andrew\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Andrew\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Andrew\AppData\Local\Temp\log4net.dll
C:\Users\Andrew\AppData\Local\Temp\Quarantine.exe
C:\Users\Andrew\AppData\Local\Temp\RSPUpgradeInstaller.exe
C:\Users\Andrew\AppData\Local\Temp\SyncRestarter.exe
C:\Users\Andrew\AppData\Local\Temp\sync_upgrader.exe
end


Once again, run FRST64 as you did before.
When the tool opens click Yes to disclaimer.

Now, press the Fix button, only once, and wait.
When done, FRST produces Fixlog.txt on your Desktop.

Please provide the content of Fixlog.txt on your reply.
Thanks!
My System SpecsSystem Spec
25 Jan 2014   #13
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Please provide the content of Fixlog.txt on your reply.
Here is fixlog.txt Fixlog.zip


My System SpecsSystem Spec
.

25 Jan 2014   #14
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Ok, I take it that you moved the World Painter exe files and TEMP\Quarantine?

If you told me that, I wouldn't have to ask

No problem if you did, it's your machine.

However, I don't know what's in Quarantine and I don't want it to come back on you. 99.99% of the time, you can delete anything in your temp folder - that's only temporary storage for things you're working on or installing.

What's the .01% - it's work in progress - a document, spreadsheet, or install. In that case you would wait to remove the file.

I'm cautious too, it's a good trait. But when I deal with Malware, I don't trust it - it is very clever at making itself look important, so that people do not remove it.

Anyway, should I wonder why the FRST fix threw up an error on TEMP\Quarantine ? Is a nasty bug preventing FRSt form doing it's job?

The next thing after you bring me up to date is another Mbam scan.
Close all applications before begining the scan.

Make sure you check for updates and have the scan settings optimized.
edit: If anything is found by the scan you'll have to look at the list and place a checkmark in the box for it to be removed, otherwise, it's only listed per the settings.

Here's what I run on my machine for Mbam


Attached Images
Suspicious TCP/UDP connections on Currports-mbamsetgen.png Suspicious TCP/UDP connections on Currports-mbamsetscan.png 
My System SpecsSystem Spec
25 Jan 2014   #15
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
The next thing after you bring me up to date is another Mbam scan.
Close all applications before begining the scan.
Yes, sorry, I removed the two worldpainter.exe files, I searched for Quarantine.exe in the directory listed, and found nothing, surely if it was malicious it would be staying there? I'll go into safe mode now and report back whatever mbam reports in the next post, thanks.
My System SpecsSystem Spec
25 Jan 2014   #16
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Quote   Quote: Originally Posted by oddblob View Post
Accidental post, sorry.
Not a problem, you can delete your own posts.

Clcik on the orange asterisk on the quoted text above - that takes you back to the original post.

on the post you want to delete, click edit, then click delete
that expands the delete options
clcik the rasio button "Delete this msg"
add some explantion in the reason box
and click the "delete this message button"

the ooops msg should be gone.

just make sure you're deleting the correct msg. I've oops that and well ooops it's gone.
My System SpecsSystem Spec
25 Jan 2014   #17
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Ok, don't sweat quarantine. As I said, TEMP is temporaty storage, whatever createed it might have cleaned up after itself. Some apps aren't real good at housekeeping.

edit: Ok waiting on Mbam scan results.
My System SpecsSystem Spec
25 Jan 2014   #18
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
edit: Ok waiting on Mbam scan results.
Okay, MBAM completed and returned absolutely nothing, which I guess is good! Or potentially really bad...

Also, I ran Currports on another P.C on my network (rarely used P.C, WIN7 Ultimate) and it had AppleMobileDeviceService with the remote host being 127.0.0.1 yet the remote host name was [P.C NAME]
As I'm pretty sure my p.c name is NOT 007guard(dot)com I'm left a bit confused here Oh, the other P.C also had an identical Hosts file to me.

P.S There's not delete button for me

EDIT: Sorry, was tired when typing that, my P.C name is just the generic [username-pc]
My System SpecsSystem Spec
25 Jan 2014   #19
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

I need to refresh my memory by reading the thread again.

The hosts files is a means to redirect IP traffic to some address.

127.0.0.1 is the loop back address of every machine. What that means is when a domain name needs to be translated to the IP address, the protocol says look in hosts first, then the DNS.

If a domain is defined in the hosts file, the protocol uses that IP address otherwise it has to call on the DNS server to resolve the name to an IP address.

A std hosts file contains two entries, one for IPv4 and one for IPv6.

127.0.0.1 localhost
::1 localhost #[IPv6]

If there are other entries in the hosts file, then either you put them there or they are part of a defense mechanism of an AV program (Spybot S&D? or RUBotted?). I run Avast! and more scanners than I've suggested her, so it's not those.

Anyway, if the entries are 127.0.0.1 it's not an issue because it loops back to your machine - it doesn't go anywhere.
All of the domain names and addresses I've seen in this thred go into that loop, again that's ok.
127.0.0.1 AppleMobileDeviceService simply means that anything trying to reach AppleMobileDeviceService using IP will not go anywhere. same for anything else,

127.0.0.1 joes.com
127.0.0.1 joes.net
127.0.0.1 tomandjoes.org
putting any of those addesses in your browser won't see the light of day if they are defined in the hosts file as shown above.

Right click on Computer and selct properties - your computer name is on that window a litlte past the 1/2 mark

no delete button referes to deleting a post on this thread?
it has to be your post.

edit, delete, delete radio, delete this msg button

Suspicious TCP/UDP connections on Currports-4mdel0.png

Suspicious TCP/UDP connections on Currports-4mdel1.png

Suspicious TCP/UDP connections on Currports-4mdel2.png


My System SpecsSystem Spec
25 Jan 2014   #20
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post

If there are other entries in the hosts file, then either you put them there or they are part of a defense mechanism of an AV program (Spybot S&D? or RUBotted?). I run Avast! and more scanners than I've suggested her, so it's not those.
Spybot S&D has added all the 1000+ entries to my hosts file, but I still don't get why some programs remote host name is 007guard(dot)com in Currports

I should also add my P.C name is NOT 007guard(dot)com as I said earlier, that was a pretty bad typo by me there... Very sorry! It's just [{myName}-PC], just the standard. Which still leaves me confused as to why the remote host names are 007guard(dot)com as you've helped me search for malware, and it doesn't seem to be that :S

Also, to do with deleting posts, not sure if it's linked to me being a new user or something, but there's only 'save' 'Go advanced' and 'cancel' Odd :S
My System SpecsSystem Spec
Reply

 Suspicious TCP/UDP connections on Currports




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Suspicious E-Mail
I got a very suspicious e-mail. It's in my spam, fortunately but I was wondering if anyone knows anything about this phishing attempt?
Chillout Room
Suspicious file
OK. I need help. There is an unknown file on the desktop which wont go. If I delete, it comes back if I refresh the desktop. When I right click on this file, there are only 3 options: Cut, Create Shortcut and Delete. I have scanned my computer with Hitman Pro, MBAM, Windows Defender and...
System Security
Should I get suspicious?
:sarc: I'm getting this every once in a while in Resource Monitor - Network . It happens a little while after I open an IE window. Open the image and you'll understand what I mean. Is this normal???
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 18:59.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App