Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Suspicious TCP/UDP connections on Currports

25 Jan 2014   #21
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Ok, let's take Spybot completely out of the equation - you uninstalled it, now restore the hosts file to default
Follow this and run the MS fixit: How can I reset the Hosts file back to the default?

I didn't think your PC was named that now you know what the name is for certain.

Way back in post 4, there were 10 malwares found. I still would like to run ESET scanner and AdwCleaner after the MS fixit for the hosts file. You said you have adwcleaner, but I'd prefer it if you download a new version. There are updates and I do not know if any of the 10 malware on your system might have compromised AdwCleanr (probably not, but a fresh download - you'l know for sure)

re: delete posts, good thinking, that might be the reason. It's not important that it be deleted.

I'll write two new posts on ESET (lengthy, but thorough) and Adwcleaner, run them in that order, post the results.

So start with the MS fixit and I'l start the next two posts

Bill
-


My System SpecsSystem Spec
.
25 Jan 2014   #22
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Please run the ESET Online Scanner...

Since it is implemented as an ActiveX control, it is best run on Internet Explorer.
Right click the IE shortcut and select: Run as Administrator

Next, in IE, download >ESET Free Online Scanner :: Complete Malware Detection :: ESET

On the ESET website, click on: Run ESET Online Scanner
Click: Start

When asked, allow the add-on to be installed.
Again, click: Start

On the next prompt, Computer Scan Settings, do not check: Remove found threats

Next, click on: Advanced Settings
Make sure the following options are checked:
>Scan for potentially unwanted applications
>Scan for potentially unsafe applications
>Enable Anti-Stealth Technology

By Current Scan Targets, Operating memory, Local drives, press: Change
In Selection of scan targets, Local drives, select the drives in question.
Click: OK

Click: Start
Follow the prompts.

When the scan completes, if threats are found, in the Scan Results prompt, click on: List of threats found
Click on: Export to text file
Save to the Desktop and name it: ESET Scan Results
Click on: Back
Click on: Finish, and close the program.

If anything is found, please provide the ESET Scan Results in your reply to determine what further action is necessary.
My System SpecsSystem Spec
25 Jan 2014   #23
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
My System SpecsSystem Spec
.

25 Jan 2014   #24
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Double click on AdwCleaner.exe to run the tool again.
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...

This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).

Copy and paste the contents of that logfile in your next reply (logfile is also saved in C:\AdwCleaner)
My System SpecsSystem Spec
26 Jan 2014   #25
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
now restore the hosts file to default
Follow this and run the MS fixit: How can I reset the Hosts file back to the default?

-
Hi, before I do that, I'm just a bit curious about it... if some applications are trying to go to this dodgy domain, and it appears that Hosts is looping it back to 127.0.0.1. Why would I want to stop that? Surely putting Hosts at default will allow this connection?
My System SpecsSystem Spec
26 Jan 2014   #26
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Good question.

You are correct, resetting hosts would allow the connection.

Why would you want to do that? Spybot S&D used the hosts file to compensate for a weak AV policy. You have Avast! which should prevent the malware in the first place, so the entries created in the hosts file by Spybot are unecessary and might cause legitimate connections to fail.

edit: Win7 firewall does the other half of the job.

Having a std hosts file is "best practices" for operating any machine. Putting entries in the hosts file is a workaround to try if and when there is a connection issue, it's called a loop back TEST.


Your machine, your choice - but I strongly recommend that you reset hosts to default.

I just ran currports on my machine and see what might be confusing us. It displays all possible connections. The interesting thing is that on the first execution, I saw some unknowns and other curiosities. When I ran it a second time, those curiosities were not displayed in the window. Conclusion: use std windows apps to display network information. I think currports is just confusing the issue, you might be chasing a red herring.

If currports caused you to chase a red herring that's ok. Your machine is a little cleaner (previous AV apps removed) and if the last two scans report nothing found then you're fairly certain there is no malware on your machine. You can never be 100% certain, but you have a good AV app and the scans so far report nothing found. Make sure regular scans are scheduled (quick daily, full weekly is how I have my machine set up with Avast), and both the program and virus definitions are up to date.

Did you run ESET and AdwCleaner?
My System SpecsSystem Spec
26 Jan 2014   #27
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Thought of a few more things to clean up your system.

Seeing what Spybot did to your hosts file made me think that Spybot might have changed Windows firewall too. I don't know that for certain, but as a precaution, I would Restore Windows firewall to default values. This might cause you to re-answer prompts about allowing traffic for known applications, but there aren't that many exceptions.

Control Panel\All Control Panel Items\Windows Firewall
Seelct Restore Defaults in the left hand pane

The other thing I would recommend is the Revo uninstall app. This is a great utiltiy that cleans up uninstalled applications that don't employ "best pratices" when they are uninstalled.

Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems
Revo Uninstaller Pro - How To

After you run ESET and AdwCleaner and they come up clean, I don't think I can add anything more.

I'll keep an eye on this thread if you need help with what I've suggested or have questions.

Bill
-
My System SpecsSystem Spec
26 Jan 2014   #28
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Seeing what Spybot did to your hosts file made me think that Spybot might have changed Windows firewall too. I don't know that for certain, but as a precaution, I would Restore Windows firewall to default values. This might cause you to re-answer prompts about allowing traffic for known applications, but there aren't that many exceptions.

-
Okay, I ran ESET and it found two threats, OpenCandy and Somoto, from a quick google search they look like the sort of crap which comes with some downloads (Although, I'm usually very cautious with what I accept..) Also, Adwcleaner flagged a folder and it deleted it, but that folder comes up with every scan I do on it! It's an empty folder and I just deleted it myself now.

Also, since I've restored Hosts, the Remote Host Name on Currports is now my P.C name! I guess Spybot s&d screwed something up there... I also guess it was a red herring, but thanks for that help!

What should I do about the file found by ESET, they're both there still, and I don't remember downloading the .exe which is in my Downloads... also, regarding this recurring folder, /System32/Tasks/NCH Software should I be suspicious about this..?

Looking at this: https://en.wikipedia.org/wiki/NCH_Software I don't recognize any software from that list...

I also reset my Firewall settings new.zip The .zip is the logs from ESET and ADWCleaner.

Edit: Just to add: my P.C is actually running noticeably faster now, usually when I shut it down, it would hang on some screen saying something like closing programs, when I just shut it down, it didn't do that for the first time in ages! Thanks!

Edit 2: I found out epm.exe is a partitioning tool I have, would you recommend uninstalling this?


My System SpecsSystem Spec
26 Jan 2014   #29
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Open Candy is in a lot of installers, you don't get the option to untick it. Some call it sneakerware.
Somoto, I'll look up just to err on the side of caution.

What is the name of the dolfer AdwCleaner found?

Cool - currpports is reporting correctly.

re: files found by ESET, still in downloads, don't recall downloading... what is the exe name?

if you don't need it, delete it/them

re: NCH - sounds familiar, let me readup

I'll take a look and let you know if there's any more that needs to be done.

Always glad to help, always glad to hear good news.
My System SpecsSystem Spec
26 Jan 2014   #30
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Open Candy is in a lot of installers, you don't get the option to untick it. Some call it sneakerware.

What is the name of the dolfer AdwCleaner found?
Ah, that could be why, it was in EaseUS Partition Manager, needed to do something with some SD cards a few months ago, I'll uninstall that using Revo then!

C:\Windows\System32\Tasks\NCH Software Was this mysterious folder which keeps cropping up...
My System SpecsSystem Spec
Reply

 Suspicious TCP/UDP connections on Currports




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Suspicious E-Mail
I got a very suspicious e-mail. It's in my spam, fortunately but I was wondering if anyone knows anything about this phishing attempt?
Chillout Room
Suspicious file
OK. I need help. There is an unknown file on the desktop which wont go. If I delete, it comes back if I refresh the desktop. When I right click on this file, there are only 3 options: Cut, Create Shortcut and Delete. I have scanned my computer with Hitman Pro, MBAM, Windows Defender and...
System Security
Should I get suspicious?
:sarc: I'm getting this every once in a while in Resource Monitor - Network . It happens a little while after I open an IE window. Open the image and you'll understand what I mean. Is this normal???
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 00:00.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App