PDA

View Full Version : Stubborn connections to www.007guard.com



dvUSR
2008-08-08, 22:41
Hello Helpers!

I have noticed that starting Firefox (2.0.0.15) led to several connections being established to www.007guard.com on various ports. Not experiencing any hijacking of the browser, just these extra connections.

The process list tool in Spybot SD showed Firefox connecting to the loopback address for www.007guard.com. This was a relief, but obviously I don't want unnecessary connections to localhost to be attempted, either.

Still, I can't get rid of whatever is causing these connections. I've run several (7, to be exact) anti-malware tools, carefully downloaded from vendor sites, all to no avail. (I did find the highly suspect srchassist directory in the Windows directory; however I was able to delete it successfully, with a dummy file to prevent it from being recreated. This did not affect the 007guard problem).

I am running XP Pro. SP2.

Any help is much appreciated.

David
UC Berkeley


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:26 AM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8110
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\ThinkVantage Fingerprint Software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 9427 bytes

shelf life
2008-08-15, 04:36
hi dvUSR,

sorry for delay, no shortage of posters. What you describe might be unique to firefox. I would try using IE, while monitoring traffic and see if you get the same connections to the web site. If not then i would next completely uninstall firefox following the procedure at link below and then reinstall it.

http://kb.mozillazine.org/Uninstalling_Firefox

dvUSR
2008-08-15, 18:54
Thanks for the reply. I have reinstalled Firefox following the steps on the link you gave, but on reinstall I am still seeing the same connections to localhost.

-David

shelf life
2008-08-16, 01:49
what are you using to view your connections with? anything in spybots host file will point back to localhost

dvUSR
2008-08-16, 03:12
This time it was netstat, but previously I was using the process viewer in Spybot to see specifically which programs were connecting to which ports.

Also, previously the connections were showing up in netstat as to www.007guard.com, but that was because I was missing the line of my hosts file for 127.0.0.1 to localhost. So now the connections are showing to localhost.

-David

dvUSR
2008-08-16, 03:14
This time it was netstat, but previously I was using the process viewer in Spybot to see specifically which programs were connecting to which ports.

Also, previously the connections were showing up in netstat as to www.007guard.com, but that was because I was missing the line of my hosts file for 127.0.0.1 to localhost. So now the connections are showing to localhost.

-David

shelf life
2008-08-16, 04:14
hi,

ok. can you post a log using netstat:

copy/paste or type in at the prompt:

netstat -an >C:\netstat.txt

will dump the output to your root C:/

dvUSR
2008-08-17, 07:08
Here is the log:


Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6060 0.0.0.0:0 LISTENING
TCP 0.0.0.0:50000 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1926 127.0.0.1:1927 ESTABLISHED
TCP 127.0.0.1:1927 127.0.0.1:1926 ESTABLISHED
TCP 127.0.0.1:1928 127.0.0.1:1929 ESTABLISHED
TCP 127.0.0.1:1929 127.0.0.1:1928 ESTABLISHED
TCP 127.0.0.1:2386 127.0.0.1:62514 ESTABLISHED
TCP 127.0.0.1:4664 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:62514 0.0.0.0:0 LISTENING
TCP 127.0.0.1:62514 127.0.0.1:2386 ESTABLISHED
TCP 192.168.1.106:139 0.0.0.0:0 LISTENING
TCP 192.168.1.106:2673 89.238.64.41:80 TIME_WAIT
TCP 192.168.1.106:2674 89.238.64.41:80 TIME_WAIT
TCP 192.168.1.106:2676 89.238.64.41:80 ESTABLISHED
TCP 192.168.1.106:2677 65.55.13.158:443 ESTABLISHED
TCP 192.168.1.106:2678 89.238.64.41:80 ESTABLISHED
TCP 192.168.1.106:2679 89.238.64.41:80 ESTABLISHED
TCP 192.168.1.106:2680 89.238.64.41:80 ESTABLISHED
TCP 192.168.1.106:2681 89.238.64.41:80 ESTABLISHED
TCP 192.168.1.106:2682 89.238.64.41:80 ESTABLISHED
TCP 192.168.1.106:2684 192.168.1.103:139 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1798 *:*
UDP 127.0.0.1:62514 *:*
UDP 192.168.1.106:123 *:*
UDP 192.168.1.106:137 *:*
UDP 192.168.1.106:138 *:*

Thanks again!
David

shelf life
2008-08-17, 17:44
hi dvUSR,

dont see anything unusual in the log. netstat is not really the best for mapping processes to ports.fport would be better. we could try that. just trying to see if you have malware that is listening on a port. you did scan with several anit-malware apps, its unlikely one of those wouldnt pick up anything.

you have some common window services. they are not needed. netbios (137,138) can also be disabled unless you share files between computers. there is a app that will do this for you. up to you. read the documentation first:

http://www.firewallleaktester.com/wwdc.htm