Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Suspicious TCP/UDP connections on Currports

23 Jan 2014   #1
oddblob

WINdows 7 Home Premium 64bit
 
 
Suspicious TCP/UDP connections on Currports

Hello, I've just ran the software 'Currports' And I've found some suspicious listings there... Here are a few (Should I be worried?)

Process Name:AppleMobileDeviceService
local port:27015
Remote address:127.0.0.1
Remote host name:www(dot)007guard(dot)com
State:Established

What has me suspicious is I'm pretty sure 007guard is known for malware, but where I'm confused is, in my Hosts file, 007guard is listed as 127.0.0.1 (I'm not really a networks guy, but doesn't that mean, any connections to that domain will go to 127.0.0.1 i.e home?)

There's a few similar ones as well, like Dropbox.exe and even Firefox.exe, iTunesHelper.exe, a few 'System'
and some 'Unknown's that go to odd sounding 'Remote Host Names'

I have Avast! installed, malwarebytes available, they've never flagged anything. I have had issues with malware in the past but it seemed my AV (AVG at the time) cleared that up. Also, the suspicious connection seem to be in the port ranges of around 20000 - 50000... Any other details you need, just ask!
Any advice is welcome!

Edit: So I accidently posted two threads on this, here was the second post, it has some extra information in it, I hope it's helpful!:

Hello, I've just ran the program Currports (Sort of like a detailed Netstat command) And I've found some suspicious connections, should I be worried about these? Is my computer likely to be infected with malware, these are some suspicious connections I've come across:

Process Name:AppleMobileDeviceService.exe
Protocol:TCP
Local Port: 27015
Local Address: 127.0.0.1
Remove Port:49212
Remote Address:127.0.0.1
Remote Host Name:www(dot)007guard(dot)com

This is the part that makes me suspicious, I'm pretty sure 007guard is known for being malware so is this legitimate? I get a bit confused as the addresses are both 127.0.0.1/home, is this something to do with 007guard being in my hosts file as 127.0.0.1. (I'm not really a networking guy, but doesn't the hosts file mean any connections to this domain will redirect back to the IP listed there, in this case, me?)

There's some other processes that are like this, Firefox.exe, iTunesHelper.exe, two 'System' and some 'Unknown's which have the Remote Host Name as some domains which look suspicious...(e100.net, akamaitechnologies.com, reverse.softlayer.com and some designermedia.com)The Unknown entries also have different IPs to 127.0.0.1, yet have there remote port listed as 80 (Web server?) so I'm assuming that is normal from me just using Firefox, but I only have this tab open...

Any advice on what I should do is welcome, having any connection to 007guard seems pretty suspicious to me...


My System SpecsSystem Spec
.
23 Jan 2014   #2
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Regarding 007gaurd(dot)com

The information you show (thank you) tells me that AppleMobileDeviceService is directed to 127.0.0.1 which is a loopback address to your machine. It doesn't actually go anywhere.

I don't know much about 007gaurd and I have no idea if there is anything else lurking, but let's find out.

I'd recommend running a few scanners, start with Malwarebytes and
run a full system scan (about an hour on my machine)


Download Malwarebytes' (Mbam)
When installing Malwarebytes,
do NOT elect the free trial of the full version;
you only want the free version.

Post if Mbam finds and fices anything.

Thanks.
My System SpecsSystem Spec
23 Jan 2014   #3
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

A few more searches and this seems to be related to Spybot Search and Destroy immunization.

Open C:\Windows\System32\drivers\etc\hosts
-> there is no extension


If there is an entry 127.0.0.1 in there, close the file and let me know that hosts is fine.

If not, I'll come up with the easiest way to defin local host in your hosts file
-> it can get convoluted due to the status of the hosts file (you can't just edit and save, or copy and replace)


Beter yet - copy the contents of the hosts file and paste them in a post
-> select all of the text and click the # icon on the post menu to include it in a "code box"
My System SpecsSystem Spec
.

24 Jan 2014   #4
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Regarding 007gaurd(dot)com
Post if Mbam finds and fices anything.
So, after finally getting Safe mode to work (Explorer.exe kept crashing for reasons unknown) I managed to get MBAM to run a scan, it came back with 10 objects found, nothing major, 'Conduit' and 'Spigot'. Which after some google searches is some toolbar/adware sometimes installed with software. These were unrelated to any of the programs that have 007guard(dot)com as there Remote Host Name.

I've been brainstorming a bit, and I was wondering if I changed the first line of Hosts from
127.0.0.1 www(dot)007guard(dot)com to
127.0.0.1 Some other website
And seeing if that changes the remote host name, is there a danger in editing this though? What permissions should I allow to do that. My Hosts file is a couple of thousands lines... which are all seemingly added by Spybot S&D, I'm under the idea at the moment that if it wasn't for this line in the Hosts file, then my computer would be connecting to malicious sites... any further advice?
Thanks for the help

Edit: I should probably also add, that for each of these suspicious TCP connections, there is more than one of the program, some of which connect to 0.0.0.0 with no port. And some of which have no information like that defined.
My System SpecsSystem Spec
25 Jan 2014   #5
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Well oddblob,

If Mbam found ten malware programs, that's not a good sign.

Conduit and Spigot are not very nice players - I would not call them minor issues.

Let's see what else is there -> please attach the most recent Mbam log to a post.
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\protection-log-yyyy-mm-dd

You might have to put the log in a zip file to attach it due to the forum post file types

After posting the Mbam log
Please download the Farbar Recovery Scan Tool
Select the 64-bit version.


Save it to your Desktop.
  • Double-click the downloaded file to run it.
  • When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • FRST64 makes a log (FRST.txt) in the same directory (Desktop) from which the tool is run.
Please provide the FRST.txt in your reply. <<---

Thanks
My System SpecsSystem Spec
25 Jan 2014   #6
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Well oddblob,
Please provide the FRST.txt in your reply. <<---
I went to the path for mbam logs, but it was empty, I could provide a photo of what the mbam gui and what the results of that was if that's useful to you ( www.i.imgur.com/toRRJ8i.jpg )

I've attached a .zip of what FRST produced.
FRST.zip

Thanks


My System SpecsSystem Spec
25 Jan 2014   #7
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Don't worry about the Mbam log (we're batting 1000 on that - the image you posted isn't found either). I might have given you the wrong location - working off old inforamtion on where the log is stored - sorry abou that.
>> we'll skip the Mbam log for now

It looks as though you have more than one real time Anti-virus (AV) on your machine. This isn't a good idea as each one tries to figure out if the other(s) are malware and they tend to fight each other.

It could be that you just have some on-demand scanners. Depending on the scanner, they usually run fine with a real time AV program.

Please let me know what you have installed as far as AV and scanners. I'd like to get you down to one AV program and no scanners except for Mbam and Farbar. Once I get your list, I willl let you know what I think should be uninstalled or removed.

This is housekeeping on your system, it will help get your system disinfected by cutting through the clutter, but this step won't remove any malware in itself.

Other than that, I'm still parsing the FRST.log

Thanks
My System SpecsSystem Spec
25 Jan 2014   #8
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Could you post the secondary Farbar log: addition.txt (it should be on your desktop)

Thanks
My System SpecsSystem Spec
25 Jan 2014   #9
oddblob

WINdows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Slartybart View Post
Could you post the secondary Farbar log: addition.txt (it should be on your desktop)

Thanks
Sorry about the imgur link, the new link is: www.i.imgur.com/03gt3bx.jpg
Regarding mbam.../logs the folder was there, but no files.
Over a few years I've had multiple AVs: AVG, BitDefender, Norton, Mcafee and a few more, but I've always uninstalled them before installing a new one. My current one is Avast! And that's the only real time AV I'm aware of having, I also have mbam, spybot(outdated) and Trend Micro's RUBotted. Adwcleaner and FRST are extra scanners. Attatched should be Addition.zip.
Addition.zip
Thanks for this support!


My System SpecsSystem Spec
25 Jan 2014   #10
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

You're welcome and thanks for reposting imgur. To save you some time, if something doesn't quite work out (imgur) and I need it, I'll ask that you repost it - otherwise it's no big deal.

Ok, I'm just seeing ghosts of previous AV installs. I'd like to clean that up at some point because even remanats can get in the way of your current AV.

Avast!, Mbam, Adwcleaner, and FRST are fine.

Please uninstall SpyBot and RUBotted. You can reinstall them if you want after we get through this exercise.

The FRST.txt doesn't look as bad as I thought. I had to check some unfamiliar apps (jagex, Camdata) but we'll see in the next steps.

There are two, what look to be install pkgs, under your user profile. Both are world painter (minecraft?)
If you could verify that and you don't need them, I'll complete the fix script and let FRST take care of them.
In other words, you don't have to delete them FRST will.

If you want to keep them or one, let me know and I'll take them out of the script and you can manage those exe files.
If you don't know anything about those files, I suggest that they be removed by FRST.
My System SpecsSystem Spec
Reply

 Suspicious TCP/UDP connections on Currports




Thread Tools




Similar help and support threads
Thread Forum
Suspicious E-Mail
I got a very suspicious e-mail. It's in my spam, fortunately but I was wondering if anyone knows anything about this phishing attempt?
Chillout Room
Suspicious file
OK. I need help. There is an unknown file on the desktop which wont go. If I delete, it comes back if I refresh the desktop. When I right click on this file, there are only 3 options: Cut, Create Shortcut and Delete. I have scanned my computer with Hitman Pro, MBAM, Windows Defender and...
System Security
Should I get suspicious?
:sarc: I'm getting this every once in a while in Resource Monitor - Network . It happens a little while after I open an IE window. Open the image and you'll understand what I mean. Is this normal???
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:05.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App